Sequoia Threatens Over Voting Machine Evaluation

enodo writes "Voting machine manufacturer Sequoia has sent well-known Princeton professor Ed Felten and his colleague Andrew Appel a letter threatening to sue if New Jersey sends them a machine to evaluate. It's not clear from the letter Sequoia sent whether they intend to sue the professors or the state — presumably that ambiguity was deliberate on Sequoia's part. Put another clipping in your scrapbook of cases of companies invoking 'intellectual property rights' for bogus reasons." Sequoia seems to be claiming that no one can make a "report" regarding their "software" without their permission.

No permission should be needed

[Midnight Thunder]

I am sure the state of New Jersey can tell Sequoia to accept this investigation or say good-bye to any certification. Sequoia is just making themselves look bad and like they have something to hide.

Sweet.

[Jaysyn]

Yes, that is *exactly* what we want Sequoia to do. Sue a Priceton professor & *security* researcher.

Bullet. Meet foot.

The ambiguity is a dead giveaway.

[TripMaster Monkey]

It's not clear from the letter Sequoia sent whether they intend to sue the professors or the state -- presumably that ambiguity was deliberate on Sequoia's part.

In other words, this is a scare tactic with nothing to back it up, pure and simple. If Sequoia thought the would have had actual grounds to sue, you can bet that they would have been chillingly specific in their letter.

When people resort to these sort of tactics to attempt to dissuade you, you can be assured you're doing something right.

Let's call a spade a spade:

[jockeys]

and see that the only reason Sequoia is pissed off is that they either
a. are afraid that there are gaping security holes in their machines
b. KNOW that there are gaping security holes in their machines

all the privacy zealots will no doubt say that my "if you have nothing to hide you have nothing to be afraid of" mentality is misguided, but let's take a step back and see what is on the line here. this is NOT about personal data, this is about objectively evaluating the security of a device that is going to be used in a VERY public fashion. do lamp makers threaten Underwriters Laboratories for wanting to make sure their device works as intended?

Re:Speechless.

[The Ancients]

Just speechless.

That's often the results with certain voting machines.

Re:Speechless.

[garcia]

Just speechless.

You are speechless for the right reasons but the majority of the American public will be speechless for another and far more unfortunate reason :(

"non compliant analysis"?

[apodyopsis]

"non compliant analysis"? whats the betting that the only compliant analysis gives it an A-OK rating.

thats like car salesperson attempting to sell you a car but only if you agree to take his word that it works and he'll sue anybody that you bring in to check the engine. if ever there was a warning bell not to buy their equipment that was it.

whats next? DMCA action against /. for this thread? absolute cobblers.

Re:Yes but...

[garcia]

Yes, but nothing is stopping Sequoia from being hung in the court of public opinion.

Sure there is, apathy.

Re:Check, Meet Balance

[markov_chain]

Maybe that's how this happened. Some clueless board member demands something to be done, slamming his first on the table. The task gets assigned to the CEO, who assigns it to the lawyers, who do "something" that will appease the chain of command all the while knowing how useless it is.

Re:No permission should be needed

[moderatorrater]

With the company threatening legal action, why even consider going forward with the investigation? Threats usually come from feeling that what you're threatening is dangerous in some way, so it's highly likely there are security problems to be found. Additionally, the state shouldn't even consider using a company that opposes a comprehensive security evaluation.

handy though

[rucs_hack]

If this gets thrown out, it will really dent future attempts to use methods like this to shield shoddy products.

If you ask me, Sequoia has been given some very bad legal advice. Didn't anyone stop to think about the public relations nightmare this would cause? Not to mention damage to their business.

Re:Check, Meet Balance

[CastrTroy]

Any voting system should be verifiable by any member of the voting populous. Having a PhD in computer science should not be prerequisite for understanding the voting system. You also shouldn't have to take somebody else's word for it either. Pen and paper hand counted ballots make sense, because anybody can see exactly what's going on, and fully understand the process. If voters don't understand the voting system, then they might as well not even be voting.

Re:Reverse engineering

[flaming error]

If anybody thinks this issue is about EULAs, they need to pull their head out of the sand.

This is about the future of democracy. These voting machine vendors are stripping transparency, security, and auditability out of our elections. None of us should give a damn what licensing agreement Sequoia wrote.

threat of suit

[belmolis]

IANAL but I am reasonably confident that Sequoia cannot successfully sue Felten. They may be able to sue New Jersey for breach of contract if in fact they have a contract with New Jersey that forbids such reviews. That may be the case - I believe that the license for MS Windows Server forbids reviews not approved by Microsoft. If there is such a contract, it would be interesting to see if it holds up in court. The "no review" provision is arguably void as being contrary to public policy.

Felten, however, has no contractual relationship with Sequoia and therefore cannot be in breach of contract. Sequoia therefore cannot sue him unless they can come up with another cause of action. Maybe, just maybe, they could sue him for disclosing trade secrets, if New Jersey has really nasty trade secret laws.

Re:Voting versus Gambling

[dpilot]

> but if they can help a democrat steal an election...

And what's your opinion if it's helping a republican steal an election?

Whatever response you give me, the words "a democrat" did not need to be in your post. Stealing an election is WRONG, whether it's a democrat or a republican. You took a very good post and diminished it with a bit of partisanship. I notice that you said "democrat" where usually the party affiliation is capitalized, so maybe you're scooting by on a technicality. But at that point we're parsing to the degree that we criticize politicians for.

Re:Check, Meet Balance

[ivan256]

The problem is the lack of even a single impartial ballot counter. Whereas an expertly designed and reviewed machine can be reasonably guaranteed to be bias-free.

Fixing elections is not something that has been enabled by new technology. The problem here is that the technology was supposed to reduce the fraud and inaccuracies, but it turns out it's just as hackable as the old pen & paper or punchcard systems despite the higher cost.

Re:handy though

[MightyMartian]

There is an alternative to all of this. New Jersey can simple remove Sequoia from the list of companies they're considering for voting machines. I mean, if they don't have it already, they can simply pass law stating that all those submitting bids for supplying the state with voting machines must make a machine available for independent review by an organization or institution of the state's choice. If Sequoia doesn't like those terms, they don't have to bid.

It's true, however, that IP claims are getting out of hand when a government and/or institution doing some work for the government is threatened with a lawsuit over testing hardware. These events are only going to get more egregious and ludicrous until Washington and the courts start handing these abusers their proverbial balls on a platter.

Re:Check, Meet Balance

[CastrTroy]

That's why the ballots can be counted, or viewed by multiple parties, who should all agree on the final counts. Anybody should be allowed to stand around and watch the counting. I'm not saying that no fraud would happen, because it's happened in the past, and it will happen in the future. I'm just saying that it should be obvious to the voting public when fraud is happening. The problem with machines, is that even if they are verified, it's impossible to know what code is running on it when you walk up to it on election day. Think of game consoles. They try to make it so you can only run licensed content. But people always find a way to run homebrew/pirated games. You can verify the machine all you want. There's no guaranteeing that the same machine will actually be used on election day. You could probably even put a completely different machine in front of people on election day, possibly in the same casing, although that's not even necessary, and people wouldn't even know they were using the wrong machine, because each polling district uses different machines.

I Agree with Sequoia on this

[Shivetya]

and you too.

If their contract declares as such then they are in the right.

However, it should be a requirement at the state level, if not federal, to require this sort of outside verification and study. If a manufacturer does not agree to it then they should be considered for the application. Fair is fair.

Don't want to be hold accountable then don't expect our money.

I am quite sure some other company will step forward if there is money to be made and their intellectual property rights are protected. I am all for testing and certification by outside groups but I also realize that there is investment here and that needs protected first. What must come first is OUR rights, our rights to know that outside experts have certified a solution and future implementations will protect our vote. Surely some company will step up to this for the money. Maybe it will be the kick in the pants for some group already in place to do so.

Re:Ok, I RTFA, but still...

[Ungrounded Lightning]

...have I got this straight?

Their voting machines are paid for by public dollars, used by the majority of the members of the public, to elect public officials, and they claim evaluation of their software cannot occur without their "permission"?

Their voting machines are SOLD (or maybe leased) to the government agencies that operate elections and have a contract specifying terms of use. They're claiming the contract forbids the sort of investigation that is proposed.

Now perhaps there are indeed such terms in the contract. In which case the New Jersey secretary of state (or a past one) made an unwise decision. Nevertheless, the state has a duty to insure that the system is not defective. Inspecting its operation, including that of the software if there is any question about its functionality (or even if there isn't, just to check), is obviously a part of that duty, and being inspected is obviously part of what it is to be a voting machine. So such contract terms, if present and interpreted as Sequoia claims, are clearly unconscionable. On that basis the state should be free to ignore the clause.

Alternatively, if the clause were to stand the resulting terms of use would make the machines "unsuitable for the intended use", violating the implied warranty of fitness. So the state could return them for a full refund. B-)

It would be interesting to see what would happen if Sequoia actually sued. If the contract specified interpretation under the laws of New Jersey (or didn't specify jurisdiction) the state might just refuse to be sued. B-) If it specifies another state (or they sue in their own) it would still be a funny show.

As for suing the professor, either he's acting as an agent of the state (in which case they're suing the state) or he's not (in which case he has no contract with them to enforce.) In the latter they'd have to go after him for something like DMCA violations or some part of contract law I'm unaware of.

Of course IANAL - and especially not a contract lawyer. So take the above with a suitable quantity of salt. B-)

Re:No permission should be needed

[Rick17JJ]

If they do not have enough confidence in their system's security or accuracy to allow it to be tested, then it is not good enough to be used for e-voting. They have just demonstrated that their system can not be trusted.

Re:Sweet.

[rnturn]

But... New Jersey might file a countersuit against Sequoia claiming that they interfering with New Jersey's ability to verify that the machines are suitable for use in actual elections (before the elections are held and found to be invalid). Imagine GM suing a customer because they took their car to a non-GM mechanic to verify that some work had been done properly. I doubt the courts would look kindly on that.

If I were a New Jersey state elections employee, I'd be looking seriously at returning the equipment, informing Sequoia that it was unsuitable for use, and demanding my money back.

Finally, I'm guessing that Sequoia isn't all that interested in staying in the electronic voting machine business. This act will pretty much have everyone who's still considering even using electronic voting equipment making a mental note to cross Sequoia off their short list of vendors.

Re:Here is Sequoia's response from their website..

[ScrewMaster]

Sequoia welcomes all such responsibly executed review activities.

Obviously they don't. Anyone claiming that Ed Felten is unable to responsibly execute such a review should have her head examined. More to the point however, it is equally obvious that they are very much aware of Professor Felten's reputation, and would very much rather he didn't execute a responsible review of their equipment.

Hey ... if they've nothing to hide ...

Re:threat of suit

[ScrewMaster]

The real issue is, how did things get so fucked up that companies feel entitled to operating in such secrecy?

Yes indeed, and this behavior on the part of private corporations is hardly limited to the voting industry. It's happening all over the place. The Taser is another excellent example: medical examiners being threatened and sued by the manufacturer of that device if they put "death by Tasing" in their official reports. Doesn't matter one bit if the person who was killed did die from a tasing. The company doesn't want the publicity and will send their lawyers after anyone that makes a complaint, legitimate or otherwise.

Now, this is serious shit, because it is giving corporations the power to intimidate and influence public servants who are simply doing their jobs, jobs that We the People pay them to do. That's just WRONG and needs to be addressed at some point. Really, what we're seeing here is what happens when a society becomes fundamentally amoral: America operated on what was essentially an honor system for centuries. People didn't do this kind of thing because, well ... good people just didn't do this kind of thing. Even corporate leaders had some respect for the system.

Now that we've become very much a cutthroat capitalist society, nothing matters so long as you have your way, no matter who is hurt in the process. That's not the America I grew up in, let me tell you.

Re:threat of suit

[ScrewMaster]

Oh, sure ... some corporations have always been cutthroat, and it has largely been government's role to counterbalance that to one degree or another, to correct the really egregious excesses. Overall though, the United States' business community generally was not cutthroat to the degree that we're seeing now. Corporations have always done bad things in the name of profit, but we're seeing a new set of extremes nowadays. Hell, if you want to see what unbridled corporate nastiness looks like, China is a much better example than the U.S. at its worst. I really don't think we want to go there, but we are.

In any event, I am noticing that there are things that simply were not done in the past that are now commonplace, such as threatening public servants with impunity. I'm generally against the government (any government) here in the U.S. coming up with more law, but it does seem like corporations like Sequoia and the Taser outfit need to get slapped back. Maybe the Justice Department or the FBI could lay off the media-driven "piracy" bandwagon for a couple years, and put some of these corporate assholes in their place.

Re:Check, Meet Balance

[FailedTheTuringTest]

No, it's not the same problem. It's easy for people to watch the movements of pieces of paper, make sure they end up where they belong, and count them. It's much harder to do the same with electrons.

The solution for paper ballots is based on four principles: transparency, adversarial conditions, counting everything in a way that, if done right, makes double-entry accounting look like a random number generator, and decentralization.

Transparency means that every step of the process is done in the open, with multiple people watching. Adversarial conditions means that the people watching include representatives (i.e. campaign workers) of all candidates, who are highly motivated to ensure that the others don't cheat. In Scotland, for example, each candidate can even apply their own seal to the ballot boxes in addition to the electoral commission's seals, so they can verify for themselves that boxes haven't been swapped, opened, or lost. A fraudster would have to be able to duplicate the seals of every political party in addition to the electoral commission.

As for counting, every ballot paper must be accounted for. Polling stations start with a known number of blank ballots (verified by all candidates) and they must count the number of ballot papers issued, used, spoiled, and not used, as well as the number of ballots that end up in the ballot box, and if the numbers don't add up right then one can deduce that funny business is going on.

Finally, decentralization is important. With safeguards in place, it may still be possible to cheat in a few locations (although you'd have to get campaign workers from all sides to look the other way), but widespread fraud serious enough to steal a whole election becomes extremely difficult. It is difficult to compromise the process in many locations at once. And even though the central counting facility receives the counts from each polling station and adds them up, it can be made to echo the numbers back and discrepancies can be spotted. A centralized electronic system, though, can be compromised at the center, you don't have to take over every polling station.

Re:Check, Meet Balance

[moeinvt]

"It is the exact same problem."

Hardly.

Think of the issues in logistical terms. In a paper-ballot system, tampering with a ballot box in such a way as to make any appreciable difference in the vote result would require tools, materials, physical access and a certain amount of time and effort within a relatively small window of opportunity.

With an electronic system, if the state isn't allowed to run simulated elections or do detailed inspection of the voting machine and software, the window of opportunity for tampering is huge, the potential for altering the result is high, and the risk of detection is minimal.

Re:Check, Meet Balance

[CastrTroy]

Financial systems rely on the fact that the transactions aren't anonymous. Money always goes from one account to another. In the voting process, it's (supposed to be) completely anonymous. A bunch of people come in, and bunch of votes are cast, but nobody should be able to tell who voted for who. Imagine the same with a bank, where deposits have to be made to the correct accounts, but you can't verify which account they are coming from.

Re:Check, Meet Balance

[Mr. Slippery]

The problem is the lack of even a single impartial ballot counter. Whereas an expertly designed and reviewed machine can be reasonably guaranteed to be bias-free.

If impartial ballot counter can't be found, how do you expect to find impartial software/hardware designers and reviewers?

At least ballot counters and monitors can be relatively unskilled. You can get a bunch of them with different biases and divide them up into teams to provide checks and balances. Harder to find a whole bunch of designers and reviewers and have them check on each other.