January 27, 2025

Diebold Misled Officials about Certification

Diebold Election Systems knowingly used uncertified software in California elections, despite warnings from its lawyers that doing so was illegal and might subject the company to criminal sanctions and decertification in California, according to Ian Hoffman’s story in the Oakland Tribune.

The story says that Diebold made false representations about certification to state officials:

The drafts [of letters to the state] show [Diebold’s lawyers] staked out a firm position that a critical piece of Diebold’s voting system – its voter-card encoders – didn’t need national or state approval because they were commercial-off-the-shelf products, never modified by Diebold.

But on the same day the letter was received, Diebold-hired techs were loading non-commercial Diebold software into voter-card encoders in a West Sacramento warehouse for shipment to Alameda and San Diego counties.

Many of these encoders failed on election day, causing voters to be turned away from the polls in San Diego and Alameda Counties.

This brings Diebold one step closer to being decertified in California:

“Diebold may suffer from gross incompetence, gross negligence. I don’t know whether there’s any malevolence involved,” said a senior California elections official who spoke on condition of anonymity. “I don’t know why they’ve acted the way they’ve acted and the way they’re continuing to act. Notwithstanding their rhetoric, they have not learned any lessons in terms of dealing with this secretary (of state).”

California voting officials will discuss Diebold’s behavior at a two-day hearing that starts today.

[link via Dan Gillmor]

Industry to Sue Supernode Operators?

Rumor has it that the recording industry is considering yet another tactic in their war on peer-to-peer filesharing: lawsuits against people whose computers act as supernodes.

Supernodes are a feature of some P2P networks, such as the FastTrack network used by Kazaa and Grokster. Supernodes act as hubs for the P2P network, helping people find the files they search for. (Once a user finds the desired file, that file is downloaded directly from the machine that has it.)

The industry tried suing the makers of Kazaa and Grokster, but the judge ruled that these P2P companies could not be punished because, unlike Napster, they did not participate in acts of infringement. In Napster, every search involved the participation of server machines that were run by Napster itself. In FastTrack networks, the same role is played by the supernodes, which are not run by the P2P vendor.

A supernode is just an ordinary end-user’s computer. The P2P software causes a user’s computer to “volunteer” to be a supernode, if the computer is fast and has a good network connection. The user may not know that his computer is a supernode. Indeed, he may not even know what a supernode is.

The likely theory behind a lawsuit would be that a supernode is participating in acts of infringement, just as Napster did, and so it should be held responsible as a contributory and/or vicarious infringer, just as Napster was. Regardless of the legalities, many people would think such lawsuits unfair, because at least some of the defendants would be unaware of their role as supernodes.

Perhaps the real goal of the lawsuits would be to convince people not to act as supernodes. Most of the P2P applications have a “don’t be a supernode” configuration switch. If people understood that they could avoid lawsuits by using this switch, many would.

On the other hand, the industry had hoped that the existing lawsuits against P2P direct infringers would convince people to use the “don’t upload files” configuration switch on their P2P software, even if they still use P2P for downloading. (It’s not that downloading is legal, or that the industry doesn’t object to it. It’s just that it’s much easier to catch uploaders than downloaders, and the industry’s suits thus far have been against uploaders.)

The lawsuits have been effective in teaching people that unauthorized filesharing is almost always illegal and carries potentially serious penalties. They have been far less effective, I think, in enticing people to turn off the upload feature in their P2P software. Getting people to turn off the supernode feature seems even harder.

The main effect of suits against supernode operators would be to confuse ordinary users about the law, which can’t be in the industry’s best interest. If they’re going to file suits against P2P users, going after direct infringers looks like the best strategy.

Cyber-Security Research Undersupported

Improving cybersecurity is supposedly a national priority in the U.S., but after reading Peter Harsha’s report on a recent meeting of the President’s Information Technology Advisory Committee (PITAC), it’s clear that cybersecurity research is severely underfunded.

Here’s a summary: The National Science Foundation has very little security research money, enough to fund 40% or less of the research that NSF thinks deserves support. Security research at DARPA (the Defense department’s research agency) is gradually being classified, locking out many of the best researchers and preventing the application of research results in the civilian infrastructure. The Homeland Security department is focusing on very short term deployment issues, to the near-exclusion of research. And corporate research labs, which have shrunk drastically in recent years, do mostly short term work. There is very little money available to support research with a longer term (say, five to ten year) payoff.

A Perfectly Compatible Form of Incompatibility

Scientific American has published an interview with Leonardo Chiariglione, the creator of the MP3 music format and formerly head of the disastrous Secure Digital Music Initiative. (SDMI tried to devise a standard for audio content protection. The group suffered from serious internal disagreements, and it finally dissolved after a failed attempt to use DMCA lawsuit threats to suppress publication of a research paper, by my colleagues and me, on the weaknesses of the group’s technology.)

Now Chiariglione is leading another group to devise the ultimate DRM (i.e., anti-copying) music format: “a system that guarantees the protection of copyrights but at the same time is completely transparent and universal.” He doesn’t seem to see that this goal is self-contradictory. After all, we already have a format that is completely transparent and universal: MP3.

The whole point of DRM technology is to prevent people from moving music usefully from point A to point B, at least sometimes. To make DRM work, you have to ensure that not just anybody can build a music player – otherwise people will build players that don’t obey the DRM restrictions you want to connect to the content. DRM, in other words, strives to create incompatibility between the approved devices and uses, and the unapproved ones. Incompatibility isn’t an unfortunate side-effect of deficient DRM systems – it’s the goal of DRM.

A perfectly compatible, perfectly transparent DRM system is a logical impossibility.

The idea of universally compatible DRM is so odd that it’s worth stopping for a minute to try to understand the mindset that led to it. And here Chiariglione’s comments on MP3 are revealing:

[Scientific American interviewer]: Wasn’t it clear from the beginning that MP3 would be used to distribute music illegally?

[Chiariglione]: When we approved the standard in 1992 no one thought about piracy. PCs were not powerful enough to decode MP3, and internet connections were few and slow. The scenario that most had in mind was that companies would use MP3 to store music in big, powerful servers and broadcast it. It wasn’t until the late ’90s that PCs, the Web and then peer-to-peer created a completely different context. We were probably naive, but we didn’t expect that it would happen so fast.

The attitude of MP3’s designers, in other words, was that music technology is the exclusive domain of the music industry. They didn’t seem to realize that customers would get their own technology, and that customers would decide for themselves what technology to build and how to use it. The compatible-DRM agenda is predicated on the same logical mistake, of thinking that technology is the province of a small group that can gather in a room somewhere to decide what the future will be like. That attitude is as naive now as it was in the early days of MP3.

Thoughts on the Gmail Privacy Flap

I have to admit I’m surprised at the magnitude of the recent controversy about Gmail, Google’s new webmail service. Gmail is a free webmail service, giving you up to one gigabyte of storage for email. The service shows you text ads alongside your messages, and provides various search features for your mail. The service has been surprisingly controversial, triggering angry blog-entries, letters from privacy groups, and even an anti-Gmail bill in the California state senate.

It’s important to separate complaints about what Gmail is doing now, from complaints about what the Gmail user agreement allows them to do later.

The main complaint about Gmail’s present design has to do with the text-based ads that Gmail is said to display alongside your email. To decide which ads to place, Gmail looks at the content of your email. Presumably this is a straightforward application of Google’s AdWords system (which used to appear on this site).

I’m not entirely sure why people are offended by the running of a (presumably memoryless) word-matching algorithm over their email, or the displaying of word-triggered ads. The scanner, by itself, wouldn’t bother me at all, since advertisers don’t find out who saw their ads. Users who click on the ads will be taken to the advertisers’ sites, which might try to identify them, but that’s not a new risk, and it’s controllable by the user. Other kinds of scanners, for instance onces that made summaries of my email for sale to third parties, would bother me a lot; but that’s not what Gmail is doing.

The other complaint about Gmail has been about the terms of its user agreement. There’s no doubt that the terms are egregious; but they don’t seem much worse than the terms imposed by other companies. (Seth Finkelstein makes this point well.) Hotmail’s terms of use are pretty distasteful too. So why the big flap over this particular agreement?

Don’t get me wrong. I’m glad to see people screaming about outrageous user agreements. It’s just that I would like to see some of that same anger directed elsewhere, to bring more balance into user agreements for all kinds of products. I hope the Gmail flap will cause people to look at other agreements in the same light.

I was never a likely customer for Gmail. But I can say for sure that the terms of service are enough to eliminate any remaining chance that I would switch to Gmail as my main email provider.