N.C. judge dismisses voting machine case; vendor may pull out

RALEIGH, N.C. (AP) - One of the nation's leading suppliers of electronic voting machines may decide against selling new equipment in North Carolina after a judge declined Monday to protect it from criminal prosecution should it fail to disclose software code as required by state law.

Diebold Inc., which makes automated teller machines and security and voting equipment, is worried it could be charged with a felony if officials determine the company failed to make all of its code -- some of which is owned by third-party software firms, including Microsoft Corp. -- available for examination by election officials in case of a voting mishap.

The requirement is part of the minimum voting equipment standards approved by state lawmakers earlier this year following the loss of more than 4,400 electronic ballots in Carteret County during the November 2004 election. The lost votes threw at least one close statewide race into uncertainty for more than two months.

About 20 North Carolina counties already use Diebold voting machines, and the State Board of Elections plans to announce Thursday the suppliers that meet the new standards. Local elections boards will be allowed to purchase voting machines from the approved vendors.

``We will obviously have no alternative but withdraw from the process,'' said Doug Hanna, a Raleigh-based lawyer representing North Canton, Ohio-based Diebold.

David Bear, a Diebold spokesman, said the company was reviewing several options after Monday's ruling. ``We're going to do what is necessary to provide what is best for our existing clients'' in North Carolina, he said.

The dispute centers on the state's requirement that suppliers place in escrow ``all software that is relevant to functionality, setup, configuration, and operation of the voting system,'' as well as a list of programmers responsible for creating the software.

That's not possible for Diebold's machines, which use Microsoft Windows, Hanna said. The company does not have the right to provide Microsoft's code, he said, adding it would be impossible to provide the names of every programmer who worked on Windows.

The State Board of Elections has told potential suppliers to provide code for all available software and explain why some is unavailable. That's not enough of an assurance for Diebold, which remains concerned about breaking a law that's punishable by a low-grade felony and a civil penalty of up to $100,000 per violation.

``You cannot have a statute that imposes a criminal violation ... without being clear about what conduct will submit you to a criminal violation,'' Hanna said.

But because no one has yet to accuse Diebold of breaking the law, Wake County Superior Court Judge Narley Cashwell declined to issue an injunction that would have protected the company from prosecution. Cashwell also declined to offer an interpretation of the law that would have allayed Diebold's concerns.

``We need to comply with the literal language and the statute,'' Cashwell said. ``I don't think we have an issue here yet.''

Diebold machines were blamed for voting disruptions in a California primary election last year. California has refused to certify some machines because of their malfunction rate. California officials have agreed to let a computer expert attempt to hack into Diebold machines to examine how secure they are.

On Monday, California Secretary of State Bruce McPherson said his office might seek to expand such testing to all systems seeking certification for use in California's 58 counties.

Diebold shares fell 71 cents, or 1.8 percent, to close at $38.93 Monday on the New York Stock Exchange.

Oh, Judge Narley was kind enough to inflict the State of North Carolina with the damn Miss North Carolina (bogus) lawsuit.

RALEIGH, N.C. (AP) — An arbitrator will decide the breach of contract lawsuit filed by Rebekah Revels against the Miss North Carolina organization, a judge has ruled.

Wake County Superior Court Judge Narley Cashwell ordered Monday that an arbitrator would hear Revels’ case against the pageant. He previously had ordered arbitration in her lawsuit against eight people, including five pageant board members.

Revels’ lawyer, Barry Nakell, objected to Cashwell’s order, but said after the hearing that he was satisfied with the judge’s decision. He said he hoped arbitration could begin in late May or early June, allowing a decision before the next Miss North Carolina pageant.

That would be “in time for the new pageant so she could be celebrated as Miss North Carolina 2002 … and then crown the new Miss North Carolina,” Nakell said after the hearing.

Harley Jones, attorney for the state organization, sought the arbitration order after Cashwell denied his request to dismiss Miss North Carolina as a defendant in one of two lawsuits that Nakell has filed in Wake and Robeson counties.

Revels won the crown last June but resigned in July after an ex-boyfriend told state pageant officials he had topless photographs of her. She later said she was forced to step down.

Her successor, Misty Clymer, represented North Carolina in the Miss America pageant, but Revels was invited to represent the United States in the Miss World competition.

After the Miss America pageant, Cashwell ruled that neither woman could claim she was Miss North Carolina until the matter was settled.

Revels’ case against the Miss America Organization is still scheduled to go to trial in Robeson County, Nakell said. Last month, Cashwell denied a motion by the Miss America Organization to send that lawsuit to arbitration.

He's GOT to be a Democrat.

More Calls to Vet Voting Machines
By Louise Witt

Story location: http://www.wired.com/news/politics/0,1283,59874,00.html

02:00 AM Aug. 04, 2003 PT

A recent report that showed touch-screen voting machines could be vulnerable to hackers spurred the National Association of Secretaries of State, a majority of whose members are in charge of their states' elections, to consider whether the standards for the machines should be beefed up to prevent tampering.

Voting machine standards weren't on the agenda at the association's annual meeting, held in late July in Portland, Maine. But after the study (PDF) by Johns Hopkins University researchers was publicly released, the group discussed asking the National Institute of Standards and Technology, or NIST, the government's standards-setting organization, to prepare a white paper on security standards for the new generation of computerized voting machines.

No decision was made, said Kay Albowicz, a representative for the Washington, D.C., group. NIST, a nonregulatory agency based in Gaithersburg, Maryland, works with industry to develop and apply technology, measurements and standards.

Computer scientists have raised concerns about the security of computerized voting machines for the past few years, but they haven't been able to gather much support from election officials, who remain confident that the systems are basically secure from tampering and breakdowns. The Johns Hopkins study is the first piece of evidence that current touch-screen technology could be seriously flawed.

While stressing that more studies will have to be conducted to find out just how vulnerable these are, "there is a sense that in the past (critics of computerized machines) were part of the black box crowd and conspiracy theorists," Albowicz said. "No one is saying that now."

Aviel Rubin, technical director of the Johns Hopkins Information Security Institute, led a team of three computer scientists to examine source code for touch-screen voting machines made by Diebold. More than 40,000 Diebold voting machines are in use in 37 states. Most use touch-screen technology, while the rest use optical-scanning equipment, said Mike Jacobsen, a company spokesman.

The code was downloaded earlier this year from a company FTP site. The site isn't public, but it's also not secure. Diebold's field representatives used the site to fix the company's voting machines. Diebold has since pulled the source code off the Internet. The company's employees now carry discs.

Within a half-hour of examining the code, Rubin's team found its first red flag. The password was embedded in the source code. "You learn (not to do) that in security 101," said Tadayoshi Kohno, one of the report's co-authors. "The designers didn't follow standard engineering processes."

Other "stunning flaws" Rubin said the team found in Diebold's source code included voter smart cards that could be manipulated to cast more than one vote, software that could be reconfigured by malicious company workers or election officials to alter voters' ballot choices without their knowledge and machines that could be electronically broken into through remote access.

"The people who wrote this code didn't have very good security training," Rubin said. "They didn't use encryption."

Diebold spokesmen said the code Rubin downloaded and examined was more than a year old. The code he obtained was "less than 5 percent" of the whole application, they said. In addition, the application Rubin examined "on the whole is not the same" as applications in machines used in elections in places like Georgia and Maryland, said John Kristoff, Diebold's director of communication and investor relations.

Diebold cannot determine whether the lines of code that raised concern for Rubin were used in machines in the field, Kristoff said.

When asked if the source code contained the passwords to the system, Diebold's Jacobsen said, "I can't say. The flaws that the researchers found were found in a very controlled, clinical environment and weren't subject to the stringent auditing and security processes, including the logic and accuracy testing." Jacobsen said he believed Wylie Laboratories tested Diebold's software.

Kristoff also pointed out that Rubin examined code on a networked personal computer running Windows 2000. In the field, no one could connect a voting machine to a network, or attach a keyboard, monitor or mouse to make its innards as accessible as a PC's. Kristoff said the machines run on Windows CE, a specialized, non-consumer version of the Windows operating system.

David Dill, a professor of computer science at Stanford University and a member of the California Secretary of State's Ad Hoc Touch Screen Task Force, said Rubin's report confirms what he and other computer scientists have believed for years: Electronic machines are vulnerable and there needs to be a backup system to verify voters' ballots.

The ad hoc task force recommended a voter-verifiable audit trail. One solution could be a machine that generates paper receipts behind a glass barrier showing voters that their votes have been properly cast. The receipts later could be used for recounts.

"I think it's been obvious that (these machines) can be hacked and Aviel shows that they can be hacked," Dill said. "They've blown up all the arguments that the present machines are OK and the process will solve all these problems."

Mary Kiffmeyer, Minnesota's Secretary of State and the new National Association of Secretaries of State president, said there shouldn't be a "rush to judgment" to condemn the current technology used in touch-screen voting machines.

She pointed out that Georgia used new touch-screen machines in its 2002 elections without incident. But she said the association will push for the federal government to release additional funding from the Help America Vote Act, or HAVA, to study what standards should be in place.

"Standards are being revised as new equipment comes along," she said. "We need to speed up the process and focus on (the standards) as we are rapidly making decisions about our equipment."

Congress passed HAVA in 2002 in response to the November 2000 presidential election debacle, with its hanging chads, butterfly ballots and messy voter-registration records and administration.

Congress authorized $3.9 billion for HAVA to replace outdated punch-card and lever voting machines, to improve voter education, to provide better ballot booth access for the disabled and to modernize statewide voter-registration databases.

Congress also appropriated $1.5 billion for HAVA in the fiscal year ending in September. Of that, the federal government gave states $649.5 million to buy new voting machines and to improve their electoral administration. Another $830 million is waiting to be dispersed as soon as an election commission is established. Congress appropriated only $500 million for fiscal 2004.

Penelope Bonsall, director of the Federal Election Commission's Office of Election Administration, said the president has named the commission's four members, but they have not been officially nominated. Congress is now in recess and won't be able to approve the commission until it returns in September.

The 2006 deadline for states to comply with HAVA looms. Even though new standards may be needed for computerized machines, states and local governments are rushing to buy equipment.

At the end of 2002, 19.6 percent of votes nationwide were recorded on touch-screen equipment, up from 3.9 percent in 1992, according to the Federal Election Commission. Another 31.6 percent were recorded using optical-scanning equipment. Georgia had all new machines in place for its elections in 2002. Maryland just placed a $55 million order with Diebold for 11,000 machines -- the state will have all new machines. Maryland first bought Diebold machines in November 2002.

Some computer scientists say HAVA's deadline should be extended to give the government more time to establish better standards for new computerized voting machines. Rebecca Mercuri, a research fellow at Harvard University's John F. Kennedy School of Government and president of Notable Software, a consulting firm in Lawrenceville, New Jersey, says that in the absence of new standards, the Institute of Electrical and Electronics Engineers, of which she is a member, has formed a committee to create standards for the machines. One of the committee's concerns is a voter-verified audit trail.

Rep. Rush Holt (D-N.J.) introduced a bill, H.R. 2239, in May to amend HAVA to require computerized voting machines to provide voter-verified audit trails. So far, his bill has 26 sponsors and it's unlikely to get out of the Committee on House Administration.

"As the computer scientists at Johns Hopkins recently reported, these new machines are vulnerable to massive fraud," Holt said in a statement. "Unless Congress acts to pass legislation that would make sure that all computer voting machines have a paper record that voters can verify when they cast their ballots, voters and election officials will have no way of knowing whether the computers are counting votes properly."

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.