Election Section

Court Rejects Voting Security Lawsuit

By JAKOB SCHILLER
Friday February 20, 2004

On Wednesday a California Superior Court judge dismissed a lawsuit filed by a Berkeley attorney that aimed to increase security measures on electronic voting systems before the March 2 primary. 

Judge Raymond Cadei denied a temporary restraining order against Diebold Election Systems, Inc., the maker of the majority of the state’s touch screen voting machines, that would have kept Diebold from changing or updating anything on the machines before election day. The plaintiffs sought the restraining order against Diebold because they said the company used software updates that are not approved by the state. 

“We are pleased that the election officials will be able to move forward with the election,” said Diebold spokesperson David Bear.  

The plaintiffs also lost an injunction against Secretary of State Kevin Shelley and the registrars of voters from at least 18 counties, including Alameda, that would have prevented them from using the machines for an election until security updates are made. 

Attorney Lowell Finley and five plaintiffs filed the suit because they say Diebold machines pose serious risks to the election.  

“Electronic voting systems sold to California counties by defendant Diebold Election Systems, Inc., pose a grave threat to the security and the integrity of the statewide elections to be held on March 2, 2004, and November 2, 2004,” wrote Finley in the lawsuit. 

“Numerous computer security experts have shown that the hardware and software used in the Diebold systems is highly vulnerable to vote tampering both by company insiders and outside computer hackers.” 

There is also criticism of the Diebold servers used by counties to tally the votes. 

“I believe [the decision] was a mistake,” said Jim March, one of the plaintiffs named in the suit. “But this was not the main event, this was just a side show. This is just one step in a 15-round fight.” 

“We never asked that the judge prevent the election from going forward,” said Finley. “Our goal is to hold the state and counties to a high standard of security. We knew this was an uphill battle because of how close the election is.”  

Several of the plaintiff’s security requests are similar to those issued in two separate directives by California Secretary of State Kevin Shelley. In one issued last November, Shelley said that as of July 1, 2006, all touch screen voting terminals used in the state will be required to contain a voter verified paper audit trail which would allow election officials to double check votes in case of any vote tampering  

He also issued a directive on Feb. 5 pertaining to the upcoming March 2 election. Included in the directive were instructions to stop using the Internet to submit votes from the poling places to the county. This was also one of plaintiff’s requests. 

“Modem uploads of votes to a county’s GEMS server (the county server used to tabulate votes) is vulnerable to what is known as a ‘man-in-the-middle’ attack,” said Finley in the lawsuit. In one of the analyst reports cited by Finley, he said a hacker can program a laptop to act like a GEMS server.  

“By convincing a precinct judge to dial into an attacker’s laptop computer rather than the actual GEMS server, the laptop could receive the results, acquire the name and password to access the real GEMS server, and upload modified results to the GEMS sever with no noticeable lag time,” wrote Finley.  

“I think Shelley is trying to do the right thing and has taken much more proactive steps than election officials elsewhere in the country,” said Finley. But Shelly’s seven suggestions are just part of several others the plaintiffs demanded in the 36-page lawsuit they filed. 

“While [Shelley’s directives] are welcomed steps in the right direction, the directives do not fulfill the secretary’s duties under the election code because they leave many known security vulnerabilities unaddressed,” according to the suit.  

Several county registrars of voters signed a letter of protest scoffing at Shelly’s directives and saying he is overstating the concerns. They also said there is not enough time to make the changes and that the costs would be too high.  

“I think a lot of [Shelly’s] points were very good ones,” said Brad Clark, Alameda county registrar of voters, who did not sign the letter of protest. “But [the report] came too late. Some of the things cannot be done that quickly.” 

He said the same was true for the security updates requested in the lawsuit. 

“You simply cannot order that level of software change 12 or 13 days before the election.” 

After the court decision, a spokesperson for Kevin Shelley’s office said Shelley “appreciated that the court has chosen not to interfere with the upcoming election.” 

Finley said the plaintiffs will now move ahead with other actions, none of which he could disclose. 

Another one of the plaintiffs, Bev Harris, who runs blackboxvoting.com, the leading information site for opponents to touch screen voting, said there are other lawsuits brewing in states around the country who also use the new technology. She said the courts were the only way to proceed because elected officials have failed to intervene. 

“We will win one [lawsuit] eventually,” said Harris, who lives in Washington state. “And if that’s not doing it we’re going to have to organize demonstrations, move onto the streets.”