The New York Times In America

November 3, 2003

File Sharing Pits Copyright Against Free Speech

By JOHN SCHWARTZ
Correction Appended

Forbidden files are circulating on the Internet and threats of lawsuits are in the air. Music trading? No, it is the growing controversy over one company’s electronic voting systems, and the issues being raised, some legal scholars say, are as fundamental as the sanctity of elections and the right to free speech.

Diebold Election Systems, which makes voting machines, is waging legal war against grass-roots advocates, including dozens of college students, who are posting on the Internet copies of the company’s internal communications about its electronic voting machines.

The students say that, by trying to spread the word about problems with the company’s software, they are performing a valuable form of electronic civil disobedience, one that has broad implications for American society. They also contend that they are protected by fair use exceptions in copyright law.

Diebold, however, says it is a case of copyright infringement, and has sent cease-and-desist orders to the students and, in many cases, their colleges, demanding that the 15,000 e-mail messages and memorandums be removed from each Web site. “We reserve the right to protect that which we feel is proprietary,” a spokesman for Diebold, David Bear, said.

The files circulating online include thousands of e-mail messages and memorandums dating to March 2003 from January 1999 that include discussions of bugs in Diebold’s software and warnings that its computer network are poorly protected against hackers. Diebold has sold more than 33,000 machines, many of which have been used in elections.

Advocates and journalists have mined the trove of corporate messages to find statements that appear to suggest many continuing security problems with the software that runs the system, and last-minute software changes that, by law, are generally not allowed after election authorities have certified the software for an election.

Some colleges, like Swarthmore, have bowed to the pressure and removed the x documents from their networks. But in doing so last month, the dean, Robert Gross, maintained that Swarthmore supported the students in spirit. “We believe their actions express the values of the college, including its commitment to prepare students to be engaged, socially responsible citizens,” he said in a statement. Swarthmore has encouraged the students to keep up the debate and is providing legal advice about how to respond to the Diebold letters, a Swarthmore spokesman, Tom Krattenmaker, said.

Last week the advocates’ efforts to keep the documents online took another step as Freenet, an international anticensorship organization that promotes the anonymous distribution of files, obtained copies of the Diebold documents. The technology that the network uses is a peer-to-peer service, and is similar in many ways to the software behind file-trading companies like Kazaa and the original Napster.

Legal scholars say that the online protest and the use of copyright law by Diebold have broad implications and show that the copyright wars are about more than whether Britney Spears gets royalties from downloaded songs.

“We’re so focused on the microview — whether EMI is going to make a buck next year — but there is so much more at stake in our battle to control the flows of information,” including issues at the core of free speech and democracy itself, said Siva Vaidhyanathan, a professor in the department of culture and communication at New York University.

Nelson Pavlosky, a sophomore at Swarthmore from Morristown, N.J., who put documents online through the campus organization Swarthmore Coalition for the Digital Commons said the cease-and-desist letters were “a perfect example of how copyright law can be and is abused by corporations like Diebold” to stifle freedom of speech. He said that he and other advocates wished the college had decided to fight instead of take down the files.

“We feel like they wimped out,” Mr. Pavlosky said.

But with each takedown, the publicity grows through online discussion and media coverage, and more and more people join the fray, giving Diebold’s efforts a Sorcerer’s Apprentice feel. The advocates, meanwhile, are finding that civil disobedience carries risks. One student who posted the documents and has received a letter, Zac Elliott of Indiana University, said, “I’m starting to worry about the ramifications for my entire family if I end up in some sort of legal action.”

Copyright law, and specifically the Digital Millennium Copyright Act, are being abused by Diebold, said Wendy Seltzer, a lawyer for the Electronic Frontier Foundation, a civil liberties group. Copyright is supposed to protect creative expression, Ms. Seltzer said, but in this case the law is being evoked “because they don’t want the facts out there.”

The foundation is advising many students informally and helping them to find legal aid, and it is representing the Online Policy Group, a nonprofit Internet service provider that got a cease-and-desist letter from Diebold after links to the documents were published on a news Web site that the group posts.

Diebold has become a favorite target of advocates who accuse it of partisanship: company executives have made large contributions to the Republican Party and the chief executive, Walden W. O’Dell, said in an invitation to a fund-raiser that he was “committed to helping Ohio deliver its electoral votes to the president next year.’’

He has since said that he will keep a lower political profile. Diebold has been trying to stop the dissemination of the files for months with cease and desist letters, but the number of sources for the documents continues to proliferate. Then in July, the first evaluation of the purloined software from recognized authorities in the field — a team involving experts and Johns Hopkins University and Rice University — found several serious holes in the software’s computer security which, if exploited, could allow someone to vote repeatedly, or to change the votes of others. A later review of the software for the State of Maryland agreed that the software flaws did exist, but that in the practice of real elections, other safety nets of security would keep the vulnerabilities in the code from being exploited. Diebold has said it has been working to fix problems.

As Diebold continued to deal with the headache resulting from its leaked code last week, hackers released software from another of the three major high-tech election companies, Sequoia Voting Systems. Reports of that leak first appeared in the online news service of Wired magazine, which suggested that the company’s software also suffered from poor security design.

A spokesman for Sequoia, Alfie Charles, said that the software that had been taken was an older version that had been substantially modified. Possible security flaws in that software, which were discussed in the Wired account do not constitute an actual threat to security, he said.

Mr. Charles also emphasized that his company’s leak was unlike that of Diebold, which had left much of the purloined data unprotected on its own site. The Sequoia software was taken from the servers of a “grossly negligent” contractor to Sequoia, and not from the company itself, he said.

That defense does not sway Prof. Rebecca Mercuri, an specialist in election technology who teaches computer science at Bryn Mawr College. The fact that the software of both companies was not protected raises questions about their security, she said.

“Are these companies staffed by folks completely ignorant of computer security,” she said, “or are they just blatantly flaunting that they can breach every possible rule of protocol and still sell voting machines everywhere with impunity?”

Mr. Bear of Diebold said the election security and the virtual walls around his company’s computer network are different; “You’re looking at apples and oranges,” he said. Of the security breach, he said, “We acknowledge that was unfortunate that that occurred.” But the “security and sanctity of the election process,” he said, has been proved by the Science Applications International Corporation report.

Mr. Bear said that Sequoia planned to submit its software to Aviel D. Rubin, a computer security researcher at Johns Hopkins and the leader of the team that analyzed the Diebold code. Mr. Rubin said he was optimistic that the relationship with Sequoia would be less adversarial.

“It’s very different from the way that Diebold has been doing things.” Mr. Rubin, who has received a cease-and-desist notice from Diebold because of his research, said, “The solution is to stop selling insecure voting machines and not to continue threatening students who are only trying to protect our democracy.”

Voting companies emphasize that their products undergo rigorous testing and independent review required by federal laws for certification.

“Judging from the majority of news coverage, one might think that companies just throw software together and start selling equipment and running elections, when the reality is just the opposite,” Mr. Charles of Sequoia said.

Some observers of the fight say it is having an effect beyond ones and zeroes and virtual forms of hanging chad. Bev Harris, who is writing a book on the electronic voting industry, was among the first people to place the Diebold files online.

She said that when she began her research, young people tended to tell her that voting was irrelevant to their lives. That is changing, she said; “What more important thing can we do so that we can get them involved, and see how important voting is?”

Correction Tuesday, Nov. 4, 2003
An article in Business Day yesterday about the online circulation by hackers of software from electronic voting systems developed by Diebold Election Systems and Sequoia Voting Systems misattributed a statement about the possibility of Sequoia's submitting its software to a computer security researcher. It was made by Alfie Charles, a Sequoia spokesman, not David Bear, a Diebold spokesman. The article also referred incorrectly to the source of the Sequoia software that was released. The source was a contractor used by one of Sequoia's customers, not one used by the company.


Copyright 2003 The New York Times Company | Home | Privacy Policy | Search | Corrections | Help | Back to Top