Slashdot Log In
Suit Claims Diebold Voting Machines Violate GPL
Posted by
kdawson
on Tue Nov 04, 2008 03:14 PM
from the insult-to-injury dept.
from the insult-to-injury dept.
An anonymous reader writes "Diebold Inc. and its subsidiary, Premier Election Solutions, is using Ghostscript in its electronic election systems even though Diebold and PES 'have not been granted a license to modify, copy, or distribute any of Artifex's copyrighted works,' Artifex claims in court papers filed late last month in US District Court for Northern California. The gs-devel list first brought up the possible GPL violation a year ago."
Related Stories
Submission: Suit Claims Diebold Voting Machines Violate GPL by Anonymous Coward
[+]
Open Source Program Reveals Diebold Bug 175 comments
Mitch Trachtenberg writes "Ballot Browser, an open source Python program developed by Mitch Trachtenberg (yours truly) as part of the all-volunteer Humboldt County Election Transparency Project, was instrumental in revealing that Diebold counting software had dropped 197 ballots from Humboldt County, California's official election results. Despite a top-to-bottom review by the California Secretary of State's office, it appears that Diebold had not informed that office of the four-year-old bug. The Transparency Project has sites at humetp.org and http://www.humtp.com." Trachtenberg also points to his blog for the Transparency Project, and his own essay about the discovery and the process that led to it.
[+]
Diebold Election Audit Logs Defective 256 comments
mtrachtenberg writes "Premier Election Solutions' (formerly Diebold) GEMS 1.18.19 election software audit logs don't record the deletion of ballots, don't always record correct dates, and can be deleted by the operator, either accidentally or intentionally. The California Secretary of State's office has just released a report about the situation (PDF) in the November 2008 election in Humboldt County, California (which we discussed at the time). Here's the California Secretary of State's links page on Diebold. The conclusion of the 13-page report reads: 'GEMS version 1.18.19 contains a serious software error that caused the omission of 197 ballots from the official results (which was subsequently corrected) in the November 4, 2008, General Election in Humboldt County. The potential for this error to corrupt election results is confined to jurisdictions that tally ballots using the GEMS Central Count Server. Key audit trail logs in GEMS version 1.18.19 do not record important operator interventions such as deletion of decks of ballots, assign inaccurate date and time stamps to events that are recorded, and can be deleted by the operator. The number of votes erroneously deleted from the election results reported by GEMS in this case greatly exceeds the maximum allowable error rate established by HAVA. In addition, each of the foregoing defects appears to violate the 1990 Voting System Standards to an extent that would have warranted failure of the GEMS version 1.18.19 system had they been detected and reported by the Independent Testing Authority that tested the system.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
The thing is (Score:2, Interesting)
The GPL only applies when you distribute software. They are probably not distributing the software outside their own company.
For one of the people who will be running the election hall on election day, when they get delivery of the election machine, is that counted as receiving a copy of the software?
The machine itself is closed and locked down, and most likely cannot be opened without a special key from Diebold.
If that is not the case, hit me with a cluebat.
Re:The thing is (Score:5, Informative)
They are probably not distributing the software outside their own company.
Considering they *sell* the machines to the government, that most certainly counts as distribution.
Just because it's loaded on closed hardware doesn't mean that it's not being distributed.
For one of the people who will be running the election hall on election day, when they get delivery of the election machine, is that counted as receiving a copy of the software?
Unless Diebold is
A) a part of the US government
or
B) running the election
that's pretty much irrelevant. They're distributing the machine to the government, who sends them to the election halls, and *that* is what counts as distribution.
Parent
Re: (Score:3, Funny)
A) a part of the US government
Well it looks like A) came true: DRE 700 for pres! [theonion.com]
Re:The thing is (Score:4, Interesting)
Many people have said this, but delivering software on a hardware platform is delivering it. This is why we have source code for things like the linux running on Linksys routers. The routers are mean to be as locked up as a voting machine, but because of the GPL they are forced to distribute the source.
Parent
Re:The thing is (Score:4, Interesting)
Parent
Re: (Score:3, Insightful)
But how would they (the GPL folks) handle it if the hardware was leased just for election day. I.e., the precincts pay Diebold $LARGE sum to deliver, set up, run, tear down, and take back the machines each election. Then Diebold isn't distributing anything. They're just providing a service.
How would the MAFIAA handle it if someone were to do the same with DVDs or BLU-RAYs and large portable theaters? I'm pretty sure that not only would the MAFIAA see such use as distribution, so would the courts.
Re: (Score:3, Insightful)
It would be nice if that were true, but I'm pretty sure it's not true in U.S. law today. For example, I'm pretty sure that you are not allowed to publicly perform that DVD (project it to a public audience) without a special license that doesn't come from the DVD store.
forced to distribute the source .. (Score:5, Informative)
No one is forcing Diebold Inc. to use Ghostscript in its electronic election systems
Parent
Re: (Score:3, Insightful)
Incorrect. The GPL governs copy, modifying, distributing, and sublicensing. If you do any one of those (outside of any rights you have under law that do not require a license from the copyright holder), you are permitted to do so only under the terms of the license. Some terms of the license are only relevant to certain of those acts (or certain combinations of them).
Note, particular
Voters don't have standing here (Score:5, Informative)
It's my understanding that anyone who has "object code" is also entitled to "source code."
This means the owners of the voting machines have standing to sue. If the machines are leased, depending on how the courts determine what distribution means when a lease is involved, the local governments may or may not have standing.
The copyright owner might only have a claim of "license violation" if an owner asked for and was denied the source code.
There's also the whole issue of "how viral is viral." If the printing code is done as an independent program, then Diebold might only be obliged to release it. After all, if I publish a BSD LiveCD that contains some GPL programs, I'm obligated to publish the GPL source but not the source to BSD-licensed code. The same would apply if the PDF-generating code were in a self-contained application in the "rom filesystem" in the firmware.
Parent
Re:The thing is (Score:5, Interesting)
The machine itself is closed and locked down, and most likely cannot be opened without a special key from Diebold.
That you can make from pictures foolishly posted online. Does anyone seriously doubt that Diebold machines are, at best, woefully badly made?
To put it another way (true conversation):
Nerd One: I don't get it, it's not hard to design a machine with buttons that counts ballots fairly in a secure manner.
Nerd Two: It's not hard, there's just no market for it.
Parent
Overlook the matter (Score:5, Funny)
Diebold and PES 'have not been granted a license to modify, copy, or distribute any of Artifex's copyrighted works
In a later statement, Artifex said that they would overlook this violation if all the machines were reconfigured to auto-vote for Obama.
Re:Overlook the matter (Score:5, Funny)
Whoops, got modded as a troll. I reckon I can still claw this back though:
In a later statement, Artifex said that they would overlook this violation if all the machines were reconfigured to auto-vote for McCain.
There, that should keep everyone happy :)
Parent
Good thing Diebold is helping with the election (Score:5, Funny)
Doesn't Sound Like A Violation (Score:4, Informative)
Based on the totally inadequate summary it seems like there is no violation, except perhaps the minor one of Diebold not having their own ftp site with the normal GPLed gs code available (which they could fix in an hour).
I mean if Diebold didn't modify gs but merely used it on their machines they are only required to distributed the standard gs code. The mere fact that gs runs on the same machine doesn't make the rest of the diebold code a derived work. It's all about what is a derived work of the gs code.
Bad Summary: likely in-house license, not GPL (Score:5, Informative)
Re: (Score:3, Informative)
They would have to do that if it's GPL. This would not require them to release source to other software on the disk. There is a difference between aggregation and the creation of a derivative work. A program that just calls Ghostscript to run isn't a derivative work of Ghostscript.
Re:Are they distributing the software? (Score:5, Insightful)
When they sell the machine to the buyer it is distributing the software that the machine runs.
Parent
Re:Are they distributing the software? (Score:5, Interesting)
When they sell the machine to the buyer it is distributing the software that the machine runs.
Google Linksys, they were in a similar situation a few years ago. I'd love to see the same outcome this time!
Parent
Re:Are they distributing the software? (Score:4, Interesting)
Parent
Re:Are they distributing the software? (Score:5, Informative)
The code was already found on a public FTP site by the founder of blackboxvoting.org
The code is totally insecure, and has many vulnerabilities.
Rest assured, there are multiple ways to rig the voting machines.
Parent
We Tax payer want our money back! (Score:5, Insightful)
Dear Diebold,
Due to security problems, many states are no longer going to use voting machines sold by by your company. From a warranty standpoint, your product never lived up to our expectation, there for we want our money returned.
American Tax Payer
PS: Don't you also provide Bank ATM's? Should we be concerned about security of these devices too?
Parent
Re: (Score:3, Insightful)
I've always felt that the poor security and poor implementation on the voting machines is intentional to allow for the possibility of fraud - or more to the point to allow for officials to say, "these have been hacked...by someone else!" after they are themselves caught hacking them.
Re:We Tax payer want our money back! (Score:5, Informative)
From what I understand their ATM security is just fine.
uhh what?
Jeff Dean, Senior Vice-President and Senior Programmer at Global Election Systems (GES), the company purchased by Diebold in 2002 which became Diebold Election Systems, was convicted of 23 counts of felony theft for planting back doors in software he created for ATMs using, according to court documents, a "high degree of sophistication" to evade detection over a period of two years[7]
Parent
Re: (Score:3, Interesting)
The threats are different. With an ATM it's usually the man on the street attacking and the institution (i.e. bank) trying to stop the attack. With voting machines it's the institutions (i.e. political parties) that would be attacking and the man on the street that wants to see it stopped.
With different threat models, come different security methods. I'm sure ATM's are quite secure (at least up to the banks insurance amount). But the same techniques and assumptions don't work to secure a voting box.
Re: (Score:3, Interesting)
Diebold's voting systems division was an acquisition of Global Election Systems. The ATM and votings systems share nothing but the brand. They also spun off their voting systems to a new company called Premier Election Systems, I suspect because all the scandal was hurting their brand in other lines of business.
Re:Are they distributing the software? (Score:5, Insightful)
Given that scenario, under the GPL, is Diebold still required to make a copy of the ghostscript code available, if they've made no modifications to it? Or could they simply put on their web site, "Diebold uses the open-source tool Ghostscript, v8.2.1, which can be downloaded from "?
It doesn't make sense that running the ghostscript app on their system would force them to provide "all the source code for their entire system," and it also doesn't make sense that if they're using the app unmodified, they should have to provide for some sort of hosting mechanism when there's already a definitive hosting platform for it and they're "just using" the app as distributed by that company.
So I'm curious - anybody have any insight?
Parent
Re: (Score:3, Funny)
You're right. 1) At most they only have to provide this to the people that they've sold machines to. Anyone else can go roger a knothole. 2) Aggregation, as you note, doesn't lead to licensing infection.
Re:Are they distributing the software? (Score:5, Informative)
Sigh. The GPLv2 makes it perfectly clear that the "offer to provide source code" method of binary distribution can only be passed on from a third party for non-commercial distribution.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
It's pretty straightforward english.
Parent
Re:Are they distributing the software? (Score:5, Insightful)
While I appreciate the information you provided & thank you for it, please bear in mind that not all of us have read the GPL from start to finish, or have a copy on hand to cut and paste from. The condescension is not strictly necessary.
I asked that question seriously, because I don't understand the legal nuances of the GPL and hoped someone could answer the question - I've received several informative answers, yours included. When you answer questions in this fashion, you only serve to alienate people who are just looking for information or clarification.
Parent
Re: (Score:3, Insightful)
Yeah, sorry. We've been discussing the GPL on Slashdot for a good decade now. It's required reading material. You wouldn't go to a bible meeting and ask "Who's this Jesus guy you keep talking about?" Ok, bad example, their eyes would light up like Christmas trees. :)
Re: (Score:3, Interesting)
They would have to give source for the version they used. Putting a gostscript.tar.gz in the c:/ would have been good enough.
Linking to a license text or source code on servers other than yours. This amounts to GPL Section "3c" (passing on a written offer), which is only valid for non-commercial distribution. They committed commercial distribution. So they should have just dropped a src tar on the machine or on a cd that came with it.
Yes it does. (Score:5, Informative)
The GPL is pretty strict about any distribution requiring source being made available. Embedded devices are no exception.
Parent
Re: (Score:3, Informative)
If you don't provide the source *with* the binaries (Section 3(a)), then you must make the source available to everyone (Section 3(b)).
The third option, pointing to the upstream provider (Section 3(c)) only applies to non-commercial distribution, which this isn't.
Re:Are they distributing the software? (Score:5, Insightful)
It would be sweet if by some courtroom magic we could use Diebold to fund lots of open source development.
More likely, this will turn into MS FUD about how the GPL is cancer.
Parent
Re:I liked this video. (Score:5, Funny)
Parent
Re: (Score:3, Interesting)
But not half as cheap and simple as using paper and pencil, and having thousands of volunteers counting in parallel. Oh I know, sometimes the electoral ballots are huge in the US, but really, why does it have to be such bloody rigmarole every time there's an election there?
Re:How are they violating the GPL (Score:5, Insightful)
Moron. The machines in question are running win2k. The software they are distributing with their close systems is ghostscript, which is dual licensed. They either have to have the AFPL commercial license for closed distribution, which they do not, or they have to adhere to the GPL, which they are not.
According to the MPAA and RIAA, Diabold are stealing software. The fact their systems are flawed and they fight tooth and nail to avoid any inspection of their voting machines, also adds insult. Now we know why, they are thieving pirates.
Parent
Re:How are they violating the GPL (Score:5, Informative)
Look, the GPL gives Diebold the explicit right to use that software, so long as they distribute it themselves.
What? The GPL gives them the right to use and modify the software, as long as they don't distribute it. If they distribute it (say, by selling a voting machine that runs a copy of the software) they have to provide the source. They have not provided any source.
all they've done is establish that the free software movement is really free subject to arbitrary whims and conditions.
The conditions are not arbitrary. They are clearly spelled out in the GPL, which is much easier to read and obey than any proprietary license.
At least if they had used Microsoft Windows internally, they would have been free of any political considerations for license compliance.
Read the second link in the blurb. The voting machines in question run Windows 2000. Guess what, GhostScript runs on Windows too.
Parent
Re: (Score:3, Insightful)
Actually, if you look at the mail thread linked in the summary, they *ARE* doing this on Windows.
Someone looking at the setup noticed some Ghostscript files being changed so he mailed the gs-devel list asking for ideas.
Re:remember freedom? (Score:4, Insightful)
Because the GPL ensures freedom for the people who use the software down the chain?
Why give out free software and not make sure it is free for all under the same conditions you gave it?
Why should someone have their opensource software closed up by someone else?
In making opensource software the idea is to make opensource software, not to make the basis for closed source software.
If you intend to never give source, do not use free software, write your own. It is not a huge burden to put the source on your webpage somewhere.
Parent
Re:remember freedom? (Score:4, Insightful)
If people are writing software with the sole aim of having it used by others, then there are licences for that too. People publish under the GPL because it represents what they believe in. There's obviously demand for it, which is why its used.
Sorry, I know I should feed the trolls.
Parent
Re: (Score:3, Insightful)
Who pays you to post this drivel?
The GPL is not viral, it is a very clear license. If you do not like it, do not use it or software licensed under it. Many people do use it and prefer it because it ensures that the software they wrote stays free.
Re: (Score:3, Insightful)
The only companies that "don't understand" what they can and cannot due under the GPL are the ones that are using an "I'm stupid" smoke screen to try and hide their illegal behavior.
Re: (Score:3, Insightful)
Only a moron would be scared to legitimately use open source software because someone else illegitimately used open software. That's a little like being afraid to closed source software because a warez site got raided. The only companies that "don't understand" what they can and cannot due under the GPL are the ones that are using an "I'm stupid" smoke screen to try and hide their illegal behavior.
uh, no, there are real grey area issues here, and it's not a matter of stupid people don't get it and smart people do- from the gs-dev message linked, the gs folks 'do not consider bundling as an integrated component intended to work with other software as "mere aggregation" under the GPL.' the point to note is they do not consider it an aggregate- not that it isn't. it's a grey area - look at the gnu fact- http://www.gnu.org/licenses/gpl-faq.html#MereAggregation [gnu.org] : "Where's the line between two separate p
Re: (Score:3, Insightful)
These ridiculous lawsuits scare the crap out of anyone who would want to legitimately use open source software, and they completely go against the idea of freedom.
These lawsuits are no more "ridiculous" than Microsoft suing somebody because they were running 100 copies of Windows XP but had only paid for one.
In both cases, it's an infringement of copyright. If Diebold hadn't infringed copyright, they wouldn't be sued for it. OK, so maybe the RIAA would sue them while they were getting around to everyone else on the planet, but that doesn't count.
Because.... (Score:3, Informative)
GPL authors generally do not want to put code out there to be used as a no-cost alternative to commercial development libraries and programs, while getting nothing in return.
Basically, the "license fee" for GPL code is that the person/company reselling it must give back changes and/or distribute source. And they must abide by any attribution demands as well.
Or negotiate a commercial use license. MySQL does that.
Re: (Score:3, Informative)
If you distribute you must give source, does not matter if you change it or not.
Re: (Score:3, Informative)
If you distribute a GPL program, you are required to specify that you are using GPL software, and you must let your users know their rights to view, modify and distribute the source code. Additionally, you are required to give them the source, or offer to do so.
The GPL is more or less straightforward and easy to understand. http://www.gnu.org/licenses/gpl.txt [gnu.org]
Re:Ghostscript was found only on (Score:4, Funny)
Oh so THAT's why only blue districts need anti-virus applied just before election day
Parent