Clips December 15, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips December 15,
2003

ARTICLES

Considering Computer Voting
Federal law fighting spam adds more to state's arsenal 
Phone Service Over Internet Revives Talk of Regulation
Justice's tech research arm needs better metrics

*******************************
New York Times
December 15, 2003
NEW ECONOMY 
Considering Computer Voting
By JOHN SCHWARTZ

Gaithersburg, Md. - HIGH-TECH voting is getting a low-tech backstop:
paper. Most new voting machines are basically computers with touch
screens instead of keyboards. Their makers promise that the new machines
will simplify voting and forever end the prospect of pregnant and hanging
chads. But as the market for computerized voting equipment has
intensified, a band of critics has emerged, ranging from the analytical
to the apoplectic.

The opponents of the current machines, along with the people who make
them and election officials who buy them, gathered to spar in
Gaithersburg, a Washington suburb, last Wednesday and Thursday, at a
symposium optimistically titled, "Building Trust and Confidence in
Voting Systems." 

The critics complained that the companies were putting democracy into a
mystery box, and that the computer code for the systems was not written
to standards that ensure security. Critics are uneasy about the major
vendors' political ties, and they worry about what a malevolent insider
or a hacker could do to an election. But above all, they complain that
few of the new machines allow voters to verify their votes, whether with
a paper receipt or another method, an idea favored by computer scientists
including David L. Dill of Stanford University. 

The companies generally respond that the lever-style, mechanical voting
machines offer no such backup, either. The critics counter that the
computerized systems are the first to need voter verification methods.

Now a growing number of election officials and politicians seem to be
agreeing with the skeptics. Last week, Nevada said it was buying voting
machines for the entire state, and it demanded paper receipts for all
voters. Nevada Secretary of State Dean Heller said he received an
overwhelming message from voters that they did not trust electronic
voting. "Frankly, they think the process is working against them,
rather than working for them," Mr. Heller, a Republican, said. Last
month, the California secretary of state, Kevin Shelley said that his
state would require all touch-screen voting machines to provide a
"voter-verified paper audit trail." 

Senator Hillary Rodham Clinton, Democrat of New York, has introduced a
bill that would require a paper trail and security standards for voting
machines. Her bill is similar to an earlier entry sponsored by a fellow
Democrat, Representative Rush D. Holt of New Jersey. "What's
required for money machines should be required for voting machines,"
Senator Clinton said in introducing the bill. "We must restore trust
in our voting, and we must do it now."

Rebecca Mercuri, an expert on voting technology who is affiliated with
Harvard's Kennedy School of Government and attended the symposium, said
the tone of the discussion had changed from acrimony and accusation to
the beginnings of civil conversation. The old corporate view, she said,
was that "we have the safest, most secure voting machine - and by
the way, it's a secret," Ms. Mercuri said. But that "is not
going to provide the trust and confidence that we need," she
said.

The symposium was at the National Institute of Standards and Technology.
The institute, part of the Commerce Department, plans to develop programs
to test and accredit voting systems under the Help America Vote Act,
passed in 2002 after the bitterly contested 2000 elections. That law
requires state and local officials to replace outdated voting systems,
calls for minimum standards for the systems and provides federal funds to
move the process along. 

Companies that make electronic voting machines have scrambled to dominate
the lucrative new market. They include Diebold Election Systems (a
division of Diebold Inc.) Sequoia Voting Systems, Election Systems and
Software, and Hart InterCivic. 

The industry insists that its systems are secure and trustworthy, with or
without paper. Harris Miller, who leads a new trade association for the
industry, said that the group had no position in favor or against paper
trails, but dismissed the issue as a "theological debate within the
academic community." Mr. Miller, who is also president of the
Information Technology Association of America, called some opponents of
electronic voting "black helicopter theorists" and Luddites who
"want to go back to the bad old days" of stuffed ballot boxes
and chad wars. 

But some of the critics know a lot about computing, security and
elections - like Prof. Aviel D. Rubin at Johns Hopkins University, who
led a team that analyzed purloined code from Diebold and found flaws that
he said even basic training in secure coding would prevent. His work was
cited in Nevada's decision to choose Sequoia's machines over Diebold's.
"The only way that vendors are going to produce auditable machines
is if they are forced to,'' Professor Rubin said. "So the recent
moves of California and Nevada to require voter verifiable paper are huge
steps in the right direction." 

A spokesman for Sequoia said that providing paper had less to do with
security than with voter confidence. "I still don't believe that
paper is essential," the spokesman, Alfie Charles, said. "But
it's becoming more important - for perception if nothing else, and
perception is critical in the voting process." 

A spokesman for Diebold, David Bear, said that the company did not oppose
the idea of voter receipts, and was happy to sell whatever kind of voting
machine election officials wanted to buy. "We're in the business of
providing products that our customers need," he said. In fact, the
company's machines already have thermal printers that are used to produce
end-of-day reports, so providing individual receipts would not
necessarily require an enormous change.

Not all of Diebold's employees are so supportive of change, as Web sites
that have sprung up in opposition to the machines have shown. Among the
thousands of internal e-mail messages from the company that have made
their way to anti-Diebold Web sites is a Jan. 3 message to colleagues by
an employee identified only as Ken. Referring to criticisms of the
Diebold, he wrote that news articles about a paper trail missed an
important point, which he italicized: "they already bought the
system." 

"At this point they are just closing the barn door,'' Ken wrote.
"Let's just hope that as a company we are smart enough to charge out
the yin if they try to change the rules now and legislate voter
receipts." In a later note he explained that he meant, "Any
after-sale changes should be prohibitively expensive."

Mr. Bear, the spokesman for Diebold, said, "It's safe to say that an
e-mail does not represent the policy of Diebold."

Professor Rubin said he was heartened by the increasing demand for a
paper trail, but said it was only the first step toward ensuring that
election security moved forward instead of backward. "We still don't
have a process for ensuring that the people writing the code of those
machines know what they are doing, or are not malicious," he said.
*******************************
Seattle Times
Federal law fighting spam adds more to state's arsenal 
By Peter Lewis

Even though the newly minted federal "Can-Spam" law overrides
state statutes, Washington consumers lose nothing under its terms, and in
some ways come out ahead, the state Attorney General's office says.

That's because the provisions in the act that pre-empt state laws do not
block state anti-spam statutes "that prohibit falsity or
deception," said Paula Selis, senior assistant attorney general in
the office's consumer-protection division. 

Since Washington's 1998 statute does exactly that  it bans deception
in subject lines, transmission paths and points of origin  it
remains intact. That means Washington consumers, Internet service
providers and the Attorney General's office retain "the same rights
and remedies that they had before passage of the federal law," Selis
said. 

Moreover, the federal law, passed by Congress last week, actually adds
more to the state's arsenal, because it gives state attorneys general and
Internet service providers  but not private individuals  new
grounds to sue. For example, they could take action if spammers fail to
allow recipients an opt-out choice, don't include working reply e-mail
addresses, or don't label their messages as commercial. 

"The bottom line for Washington consumers is that at least here,
we're better off," Selis said. 

It's a different story in California, where parts of a far-reaching
anti-spam law set to take effect Jan. 1 got blown out of the water. Most
significantly, California had settled on an "opt-in" approach,
meaning recipients would have to give explicit permission before spammers
could send unsolicited commercial e-mail. 

By contrast, the federal law adopts an opt-out approach for all
commercial e-mail, both junk and solicited. It forces senders to include
a valid postal address and a way in the body of the e-mail for recipients
to opt out of receiving future e-mail. But it gives spammers a 10-day
grace period before the opt-out must take effect  a reprieve that
irritates consumer advocates. 

Tom Dresslar, spokesman for the California Attorney General's office,
maintained the federal law that finally emerged was better than some
earlier versions. But he added, "We continue to oppose attempts to
pre-empt our tougher law because we believe it better serves
consumers." 

Like Washington's law, the new federal law forbids companies from using
deceptive subject lines and false return addresses. Under the federal
law, the most serious violators could receive fines of up to $6 million
and prison terms up to five years. 

Spam has become a serious irritation to consumers and a significant cost
to businesses. Last month, Brightmail, a San Francisco company that
provides anti-spam technology, reported that for the third month in a
row, more than 50 percent of the e-mail it filtered was spam. In November
2003, it identified 56 percent of 77 billion e-mail messages as spam, an
increase of over 16 percent from November 2002, when spam represented 40
percent.

Selis called the federal law "a good first step." Its most
glaring omission, she contended, may be the absence of a private
right-to-sue provision in federal court. Washington was "very
forward thinking" in including that option in state court, Selis
said. 

One area where the new law's reach is complicated is in connection with
spam originating overseas. Maureen Dorney, a lawyer with Gray Cary, a
California-based law firm tracking the new law, said there are
circumstances where it could apply. Such circumstances include: For
example, if the business is operated in the U.S., its principals live in
the U.S. and receive money from its operations, or the actual advertiser
is based in the U.S., "there may very well be jurisdiction,"
she said. No one knows exactly how much spam is originating overseas, but
it's a growing percentage, Dorney said. 

Peter Lewis: 206-464-2217 or plewis@xxxxxxxxxxxxxxxx 
*******************************
New York Times
December 15, 2003
Phone Service Over Internet Revives Talk of Regulation
By MATT RICHTEL

AN FRANCISCO, Dec. 14 - Politicians have worked hard to keep access to
Internet connections and many forms of Internet communication free from
regulation and taxation. But the debate over how government treats the
Internet is likely to reach a new level of intensity now that Internet
technology is colliding with one of the nation's most lucrative
businesses, telephone service. 

Last week AT&T and Time Warner Cable announced that they intended to
make Internet-based phone service available to millions of consumers next
year, allowing those consumers to bypass traditional phone companies.
Those moves signaled the start of a technological shift that could change
one of the biggest and most important industries in the American economy.
Central to that shift is whether and how Internet phone service should be
regulated, a question that the Federal Communications Commission started
to explore in hearings two weeks ago. 

In an interview on Thursday, Michael K. Powell, the chairman of the
F.C.C., said he had not made up his mind on that question. But he was not
at all shy about stating his preliminary view - that Internet-based calls
are fundamentally different from traditional phone calls and ought to be
regulated cautiously, if at all.

"There is no functional or technical difference between an Internet
phone call and other data - be it bits, or e-mail or Web pages," Mr.
Powell said, during a visit to San Francisco. Up to now, Internet traffic
has been essentially unregulated and untaxed because many politicians and
regulators have argued that the technology and online commerce would grow
more quickly if the Internet were left alone.

Mr. Powell noted that while Internet-based calls might serve the same
function as calls over conventional phone lines, the underlying
technology was different enough that it would not make sense to subject
them to "100 years of judgments" and regulations. "Let's
get this thing right and define it as truer to its real nature," he
said, referring to the new technology.

His views are far from universally supported, given the many complex
political and financial interests at stake. 

What is clear is that the existing telephone infrastructure is heavily
regulated, on both the state and federal levels, with intricate rules
intended to keep phone access universally accessible and affordable.

Gene Kimmelman, the senior director for public policy at Consumers Union,
said those regulations existed to satisfy important public policy
concerns. He contended that goals like universal access would be gravely
threatened if the world went to Internet-based services that were
unregulated. 

Mr. Kimmelman said that Mr. Powell's views, which seem to argue for far
less regulation, would undo "social policy that has made phone
service affordable and accessible." He added that one possible
result was that basic connections which, under the regulatory structure
were essentially subsidized by consumers and the industry, could cost
significantly more than they did now. 

Besides, he argued, function, rather than technology, should guide the
regulatory decision. "It looks, smells, feels like plain old
telephone service," he said of Internet service, and therefore it
should be treated similarly. 

This debate - the latest front in a 20-year-old regulatory battle that
started with the breakup of the Bell system - will define the grounds on
which various players in telecommunications compete. The question of how
to regulate Internet-based calling will be "the communications
regulatory issue over the next few years," said Eric Rabe, a
spokesman for Verizon, with audible emphasis on the word
"the."

For starters, regulators will have to address some central technical
questions. Telephone calls are traditionally carried to and from homes on
copper lines, with routing of the traffic using circuit switch
technology. Internet phone service digitizes voice signals and sends them
as Internet data.

Mr. Kimmelman argues that even with Internet-based service, the voice
signals are still sent over existing communications networks, whether
copper wires, coaxial cable or fiber optic lines. And he maintains that
there is nothing sacrosanct about the mere fact that the signals are sent
as Internet traffic.

"It's just a different way of assembling ones and zeroes so they can
be more efficiently transmitted," Mr. Kimmelman said, noting that
Internet calls would still have to travel through traditional phone wires
through part of their journey.

Mr. Powell, however, maintains that what is important is not the wires
but the technology involved. And, he pointed out, consumers who want to
use Internet phones would still have to pay phone and cable companies to
get Internet access through those networks, and in doing so, would still
be supporting the basic telecommunications infrastructure. 

"You pay Verizon $39.95" for high-speed access to the Internet,
Mr. Powell said. He argued that once consumers have paid for that access,
the providers should not necessarily be paid more for the use of that
access to send particular communications, whether in the form of e-mail
messages or phone calls. 

Telephone and cable companies are staking out different positions, and
other members of the F.C.C. may not share Mr. Powell's views. 

The phone companies naturally are not eager to compete against
Internet-based competitors who can avoid the huge costs of regulation.
But some, like Verizon, also say that the solution is not to regulate
Internet calling, but to deregulate the phone industry. 

SBC, another major telephone provider, said it thinks it could compete
against unregulated Internet-based services. The reason, said Dorothy
Attwood, senior vice president for federal regulatory strategy at SBC, is
that phone companies have a head start on features important to consumers
like 911 service and the ability to make calls even when the power fails.

The cable companies have their own perspective on regulation.
Atlanta-based Cox Communications, for instance, contends that regulation
should be based, not on the technology used, but on the market share of a
company, with larger companies subject to more regulations.

Cox, which already offers phone service based on circuit switch
technology to nearly one million customers, will start Internet-based
phone service in Roanoke, Va., today. But it does not expect the
regulatory questions to be answered soon.

"It will be four to five years,'' said Carrington Phillip, vice
president for regulatory affairs at Cox Communications, "before we
have a good sense of how regulation is going to evolve."
*******************************
Computerworld
Criticism of electronic voting machines? security is mounting
Malfunctions and vulnerabilities are stalling efforts to supplant old
polling methods 
Story by Elizabeth Heichler

DECEMBER 12, 2003 ( IDG NEWS SERVICE ) - As presidential primary season
approaches, a debate is raging about electronic voting -- and IT
professionals and computer scientists are among the loudest critics.

The issue has grown in urgency thanks to the Help America Vote Act of
2002, Congress' attempt to forestall a repeat of the infamous Florida
election debacle of 2000. The bill, known as HAVA, makes as much as $3.8
billion in funding available to states in the short term for replacing
older punch card and lever election equipment -- reforms that must be
implemented by January 2006. 

Manufacturers of the latest generation of electronic touch-screen voting
devices, known as direct recording electronic (DRE) machines, are poised
to reap the rewards of the spending spree. But controversy roils over
whether DREs are secure and bug-free. 

Incidents of electronic voting machine malfunctions have fueled the fire,
as have thorough security reviews of DREs commissioned recently by
election officials in various states. Those reviews have found high-risk
vulnerabilities in the systems sold by Diebold Inc., Election Systems
& Software Inc., Sequoia Voting Systems Inc. and Hart InterCivic Inc.

For its part, Hart viewed Compuware Corp.'s review of its system on
behalf of the state of Ohio (download PDF) as a "very positive
report," according to company Chairman David Hart. He said it will
be easy to implement the changes called for. 

Similarly, Sequoia spokesman Alfie Charles said that his company's system
scored well in the same Ohio review and that Sequoia has made many of the
recommended changes. "We'll do whatever officials require us to
do," Charles said. 

Neither Diebold nor Election Systems made representatives available for
comment.

Meanwhile, six vendors -- those four plus Advanced Voting Solutions Inc.
and Unilect Corp. -- this week responded to the controversy by banding
together to form an organization called the Election Technology Council,
which will address ethics and security practices, among other issues (see
story). 

"We came together because our environment has become chaotic,"
said Hart. "We need to be able to speak as an industry in a single
voice on the areas being regulated. ... We want to be part of the debate
and tell our industry's side of the story. There's a lot of
misinformation." 

Still, many IT professionals engaged in the issue are troubled by the
limits of computer systems reliability. 

Seattle software developer Erik Nilsson's experience writing database
code in the historic 1994 South African election made him feel "like
a small cog in an overwhelming and complex process," he said.
Technologists have to gain an understanding of the difficulty of running
elections if they are to contribute to solving software security and
quality problems, he said, because "there aren't very many coders
who understand elections and not very many elections people who
understand code." 

Nilsson, who chairs the Computer Professionals for Social Responsibility
working group on voting, is scathing on the subject of poor software
quality in DREs. The lack of improvements to computer security since he
became involved with it in 1987 has led him to conclude that for the time
being, paper -- that is, an audit trail outside of self-contained DRE
computers -- is still needed for safe elections. 

Brit Williams begs to differ. The computer science professor at Kennesaw
State University in Georgia is often on the opposite side of the argument
from e-voting skeptics, but even his opponents credit him with running,
for the state of Georgia, what may be the most thorough voting machine
inspection regime in the country. While Georgia's rigorous tests have
discovered unreliable units before they could be used at the polls,
Williams said he trusts the machines as far as is necessary within a
total security framework.

"People are looking at the security of electronic voting machines
from a purely technical point of view, but security is a combination of
physical, legal and procedural measures," said Williams. He said a
paper audit trail isn't needed and would introduce logistical problems.

David Dill, a computer science professor at Stanford University in Palo
Alto, Calif., is a recent arrival to the electronic voting discussion: He
said that prior to January 2003, he wasn't deeply involved in any policy
debates. But about a year ago, "it occurred to me that people were
buying these machines, and nobody was minding the store," Dill said.

In addition to working to rally other technologists to his point of view
via a Web site, VerifiedVoting.org, Dill got involved locally, in Santa
Clara County, when he heard about planned purchases of DREs. He credits
that local controversy with raising the alert and leading to a recent
victory for his group: Late last month, California's secretary of state
issued a mandate calling for voter-verifiable paper systems to be added
to all polling units statewide. 

Ted Selker, an associate professor at MIT's Media Lab, professes to be
"as worried as the next guy about security." But he maintains
that verification can be provided without paper, and he has developed
what he claims is a secure voting architecture that uses multiple
redundant software components. Selker said IT professionals need to get
involved locally, but he wants to broaden the conversation to include how
technology can improve other parts of the electoral process, such as
voter registration. 

"In 2000, between 1 and 3 million votes were lost in registration
database problems," he said. "It's the top place votes get
lost, and we're not focused on this." 

Heichler is editor in chief of the IDG News Service.
*******************************
Federal Computer Week
Justice's tech research arm needs better metrics
BY Sara Michael 
Dec. 9, 2003

The Justice Department's law enforcement technology research arm has not
adequately measured the success of its programs despite sharp budget
increases, General Accounting Office officials said today.

The Office of Science and Technology in the National Institute of Justice
aims to improve law enforcement technology through research and
development, information dissemination and application of new
technologies. The organization's budget and programs have grown in the
past several years, but the programs' success is largely unknown, GAO
officials said.

"OST has been unable to fully assess its performance in achieving
its goals because it does not measure the extent to which it achieves the
intended outcomes of its programs," the GAO report stated.

OST's budget grew from $13.2 million in fiscal 1995 to $204.5 million in
fiscal 2003, according to GAO. The range of programs has also changed,
from mainly law enforcement to include broader public safety technology
research and development, GAO officials said.

The Government Performance and Results Act of 1993 and guidance from the
Office of Management and Budget direct agencies to establish measures to
assess outcomes of programs. OST has developed some intermediate goals to
track progress, but officials haven't done enough, GAO officials
said.

Although Justice officials developed outcome measures in August 2002 for
the fiscal 2004 budget process, those measures didn't gauge results and
were not outcome-oriented but rather output-oriented, GAO said.

"We acknowledge that measuring results using outcome measures is
difficult, and may be especially so in relation to some of the types of
activities undertaken by OST," the report states. "There are
strategies available that have been used by other federal agencies to
take steps toward assessing the effectiveness of information
dissemination and technical assistance efforts."

GAO officials recommended that the Attorney General instruct the NIJ
director to reassess the measures used and better focus on outcome. The
report also recommends the development of appropriate intermediate
measures to determine effectiveness.

In a response to the report from the assistant attorney general for OJP,
Justice officials agreed with the recommendations. The NIJ director plans
to reassess the measurements. The assistant attorney general also noted,
however, that developing outcome measures for R&D projects is
particularly difficult.
*******************************