NEWS

  /  

November 3, 2003

Students post stolen internal documents on websites

Three University of Chicago students have joined the "electronic civil disobedience" campaign against the Diebold Corporation, hosting copies of internal documents hacked from Diebold's computer database on their websites that reveal serious flaws in the polling company's practices.

As of press time late Monday night, there were approximately 70 of these sites on 39 college and high school servers around the country. All three University pages have been posted within the last week.

While the majority of the 13,000 leaked pages are ordinary employee e-mails, some of the documents indicate that Diebold's electronic voting software is not secure. The software may have contributed to a miscalculation of election results, the documents reveal.

"If what these memos show is true, then Diebold is apparently guilty of running voting machines that they knew to be defective and/or vulnerable," said Yitz Wasileski, a second-year in the College and one of the three students who posted the documents.

"The fact that a memory card appeared which subtracted over 16,000 votes from Gore in Florida, and then vanished mysteriously, does not bode well for the integrity of our elections," he added.

Diebold is based in North Canton, Ohio, and employs more than 13,000 people. They produce ATMs and campus ID software in addition to electronic voting technology.

In response to the posting of the documents, Diebold has sent cease-and-desist orders to many of the colleges whose servers host the exposed information.

Under the Digital Millennium Copyright Act, parties are able to send such letters to Internet service providers (ISPs) instructing the ISPs to remove copyrighted material from their servers. The ISPs then have the option of removing the material or of filing a counterclaim.

So far, Diebold has sent 11 cease-and-desist letters.

In a controversial move, Swarthmore College has ordered the material removed from the webpages of its students, who electronically purloined the documents from Diebold. Several other schools have issued similar ordcrs.

Diebold refused to speak to the Associated Press for an article written on October 29, although David Bear, a spokesman for Diebold, told The New York Times that "We reserve the right to protect that which we feel is proprietary," in an article published Monday.

Critics of Diebold maintain that calling the documents "proprietary" implies that the documents are also legitimate.

On Tuesday, an ISP and two Swarthmore students are expected to announce publicly a countersuit against Diebold, to be filed at a federal courthouse in San Francisco.

The students say the Electronic Frontier Foundation (EFF) and the Center for Internet and Society Cyberlaw Clinic of Stanford Law School will provide their legal representation at the hearing.

The three students involved at the University are Wasileski; Marquis Eusung Hwang, a third-year in the College; and Ryo Chijiwa, a transfer student in the College. While all of them became aware of the campaign through the same source—www.slashdot.org—each said they had a slightly different reason for getting involved.

"I thought the whole issue—the insecure nature of their e-voting systems, the possibility that they made uncertified and illegal modifications, the possibility that voting results could be, and possibly were tampered with—deserved more public awareness," Chijiwa said. "Posting the files on my U of C webspace was something I could do fairly easily."

Hwang, learning the degree to which Diebold's systems were vulnerable, became particularly upset, saying that they can even be penetrated by Microsoft Access.

"[It] smacks of pitifully shoddy work," he said. "Rather than fixing the product once these vulnerabilities became known, the people at Diebold are acting like ostriches with their heads in the sand, pretending that these vulnerabilities are so unlikely that they might as well not exist."

Chijiwa maintained that his actions in posting the documents on his website were not illegal. "I am distributing the files in an academic setting for the purpose of criticism and to promote discussion which is permitted under fair use," he said.

Wasileski said that the U of C has not yet received any cease-and-desist orders. He said that while it's possible the company has given up—realizing it cannot shut down the sites as quickly as the sites can be republished—the company may be considering an alternative strategy to contain the sensitive material.

The goal of those involved in the campaign has been to post the contentious documents on at least two new sites for every one that is taken down.

"My hope is that the American public will become more aware of the dangers of voting machines with closed software," Wasileski said. "My greatest fear is that the issue will simply disappear and that, in the future, more elections will be carried out on unsecure machines, possibly allowing the manipulation of votes."

Gregory Jackson, the University's chief information officer, said that an order of cease-and-desist does not carry any legal weight. Rather, he said, it is simply a threat.

"We get lots of threats, and our response varies with our appraisal of the consequences of not [complying]," Jackson said. He is not certain if the Diebold documents fit into the legal definition of copyrighted or not.

Jackson said that the University would disconnect the Diebold documents from the network if they were determined to be copyrighted and the University received a formal complaint.

Hwang said he hopes the University will support students, should the need arise. "In cases like this involving activism and civil disobedience, I'd like to see the University take a more proactive stance," he said. "Being ivory tower intellectuals is fine—but in order to effect change, we have to make a stand somewhere. I'd hope the University would support us in this effort."