Diebold Backs Off Legal Challenge

In August, activists posted Diebold memos online that suggested the company knew its electronic voting machines were insecure. The company responded with legal threats. Now it's pulling back in the face of opposition. By Kim Zetter.

Diebold Election Systems is withdrawing legal threats against voting activists and Internet service providers for publishing copies of internal staff e-mails that the company says were stolen from its servers.

The documents pointed to security flaws with Diebold's computerized voting machines and suggested the company knew about those flaws long before it sold machines to several states, including California, Maryland and Georgia.

Beginning in August, Diebold issued cease-and-desist letters to more than a dozen individuals who posted the documents or links to sites hosting them on the Internet. The company claimed copyright infringement under the Digital Millennium Copyright Act, or DMCA, a law designed to guard against the improper use of creative works. Diebold said the documents revealed proprietary information about the workings of its e-voting system that would benefit its competitors.

The nonprofit ISP Online Policy Group and two Swarthmore College students sought a court order in October to block Diebold's action. On Monday, Diebold reversed itself without explaining its decision, saying only that it would not sue over the copyright claims.

In a conference call with U.S. District Judge Jeremy Fogel and a lawyer for the Electronic Frontier Foundation, which is representing the Online Policy Group and the students, Diebold said it would send letters to the ISPs retracting demands that they take down the documents.

Diebold spokesman David Bear said no one should interpret the move as a sign that the DMCA did not apply in this case. "We've simply chosen not to pursue copyright infringement in this matter," he said.

More than 13,000 internal Diebold e-mails and documents were taken from a Diebold staff server last March and delivered to voting activist Bev Harris and her publisher, along with a Wired News reporter, in August. Harris has written a book based on a year's worth of research into companies that make e-voting machines.

After Harris posted the memos on her website, Diebold sent cease-and-desist letters to her and her ISP. A Swarthmore student who subsequently published the memos also received a letter.

Other Swarthmore students then launched a civil disobedience campaign against Diebold calling for greater scrutiny of e-voting machines. Students at Harvard, MIT, Carnegie Mellon, Duke University, the University of California at Berkeley and numerous other campuses followed suit.

In October, the Online Policy Group and two Swarthmore students filed for the court order to prevent Diebold from issuing further legal threats, aided by the Electronic Frontier Foundation and the Center for Internet and Society Cyberlaw Clinic at Stanford Law School.

They charged Diebold with misusing the DMCA to stifle discussion about the reliability of electronic voting machines in general and about the insecurity of the company's machines in particular.

The Diebold e-mails consisted of internal correspondence sent by company employees to several staff mailing lists related to bug fixes, technical support and company announcements.

They detailed information about the internal workings of the electronic voting machine maker and pointed to difficulties with the company's machines cited by employees and election officials.

Among revelations contained in the memos was information that the Microsoft Access database used by the Diebold system to collect and calculate votes was not protected by a password. This meant someone could alter votes by entering the database through physical access to the machine or remotely using the phone system.

The memos also revealed that the audit log, which records any activity in the Access database, could be easily altered so that an intruder could erase a record of the intrusion.

These security flaws were pointed out to Diebold in 2001, but a Diebold engineer responded by saying the company preferred not to password-protect the database because it was easier to do "end-runs" in the system -- a term that describes when someone changes software to fix or work around coding problems.

Other memos indicated that patches were installed in systems after they were already certified and delivered to states. In a January 2002 memo, a Diebold engineer discussed modifying its machines in California but noted that because the state was likely to reject a change so late in the game, they'd install it as a bug fix to pass muster with election officials, rather than undergo lengthy certification procedures.

Diebold was recently chastised by California Secretary of State Kevin Shelley for violating California election law by loading uncertified software onto machines used in at least two counties in that state. The state discovered the information only after the uncertified software was used in at least two California elections.

In memos dated January 2003, Diebold employees also discussed making the cost of upgrading its machines in California "prohibitively expensive" if Shelley decided to require a voter-verifiable paper audit trail for e-voting machines, a feature sought by voting activists. The memos appeared at the time that Shelley was convening a task force to discuss security issues with e-voting.

Two weeks ago Shelley mandated that e-voting machines used in the state must produce a paper receipt that voters can use to verify their ballots. The machines must comply by July 2006.

Wendy Seltzer, staff attorney for the Electronic Freedom Foundation, said publication of the Diebold documents was an important ingredient in the growing public debate about electronic voting systems and the companies that manufacture them.

"We're pleased that Diebold has retreated and the public is now free to continue its interrupted conversation over the accuracy of electronic voting machines," she said.

Despite Diebold's retreat, the EFF is still seeking a ruling from the judge that states that posting the memos did not violate copyright laws. The group also wants Diebold to pay damages to the students and ISPs.

"This tells companies like Diebold who are thinking of doing what Diebold has done that it's not free to send out these letters," Seltzer said. "If the letters are baseless, there's a price to be paid for that. And there's a price to be paid for trying to suppress free speech."

Fogel is expected to rule on EFF's requests in February. Diebold spokesman Bear said he hopes to reach a settlement in the matter before Fogel makes a ruling.

With regard to anyone who wants to post the memos, Bear said, "They are free to do as allowed. We are not going to pursue copyright infringement."