[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips November 11, 2003

Clips November 11, 2003

ARTICLES

Search engines face drug test
California voting machine called into question
Latest anthrax scare brings call for better bioterror technology
Singapore toughens laws to combat cyber terrorists
Jury still out on e-voting
No need to rush [e-voting]
Bias in the voting box?
Administration urges Senate to revisit cuts in tech
Consumers Can Move Home Numbers to Cells
Britain Plans to Introduce Identity Cards
SURE, IT SEEMS LIKE YOU VOTED, BUT WITHOUT A PAPER TRAIL
Suspect Code Used in State Votes 

*******************************
CNET News.com
Search engines face drug test
Last modified: November 10, 2003, 12:55 PM PST
By Stefanie Olsen

A major U.S. pharmacy trade group is pressuring Web-based search engines to ban advertisements from unlicensed drug dealers, highlighting growing pains for the Net's newest marketing powerhouses.

The National Association of Boards of Pharmacy (NABP) said it will meet with Yahoo on Wednesday as part of an effort to clean up ads for prescription drugs, such as the painkillers Vicodin and OxyContin, that can be ordered freely by mail from some Web sites without a doctor's consent.

NABP and Drugstore.com, one of the biggest online pharmacies, have contacted several sites, including search engine provider Google, Microsoft's MSN Web portal and America Online, saying that they have run ads from illegal distributors. NABP and Drugstore.com want the sites to agree not to run ads from distributors unless they are certified by the industry organization. The association currently lists 14 certified pharmacies on its verified Internet pharmacy practices site (VIPPS), including Drugstore.com and Walgreen's online arm, Walgreen.com.

"The concern is that there are literally hundreds of illegal sites selling pharmaceuticals such as OxyContin and Vicodin with no medical oversight," said Walter Conner, senior director for communications for Drugstore.com, which joined the NABP's campaign earlier this year. "Google is carrying ads for these sites...We feel that the major search engines have a social responsibility not to do this."

The debate goes to the heart of "pay per click" advertising programs sponsored by search engines such as Google and Overture Services, a segment that's expected to account for a quarter of the $6.3 billion online advertising market this year, according to Nielsen/NetRatings. Pharmacy ads make up a relatively small fraction of this total, but carry a high profile given the public health and safety issues at stake.

Search engines are widely credited with helping revive the flagging online advertising market, thanks to auctions of high-impact text-based links that appear atop or adjacent to search results related to specific keywords, such as "digital cameras."

As they've grown, such programs have increasingly come under scrutiny from regulators and the courts, which are demanding greater accountability from providers. If successful, those demands would almost certainly raise costs for search engines by forcing them to more closely examine thousands of advertisers and listings in an industry that up until now has relied heavily on automation.

Calls for increased accountability could also crimp revenue by winnowing demand for the keywords sold by search engines in Google's and Overture's pay-per-click advertising systems, which currently take place through auctions that are open to all comers.

The Federal Trade Commission (FTC), which regulates advertising in the United States, last year issued its first guidelines targeting advertising in search results, laying out best practices for disclosure of paid links but falling short of demanding formal changes. The agency recently indicated that it is continuing to examine Web search industry practices.

Trademark holder eBay, meanwhile, recently asked Google to restrict the sale of the keyword "eBay," a move that could spark other trademark holders into action.

Although search companies say they are working hard to establish appropriate advertising guidelines, there are still kinks to be worked out, analysts said.

"Paid search has created a world where keywords have fiscal value, but we haven't figured out how to enforce their meaning or who should enforce their meaning," said Matthew Berk, research director at Jupiter Research.

Regulators on the move
NABP's efforts to restrict online pharmacy ads come as concerns mount over illegal prescription drug imports from Canadian and overseas Web sites. Sites that sell low-cost medications with or without a prescription have proliferated online, littering Web search results pages and e-mail in-boxes with pitches for a range of restricted drugs, including the male sexual aid Viagra, the antidepressant Xanax and the sleeping pill Ambien.

Pharmaceuticals sellers served some 2 billion advertising impressions in October, making them the second largest group of advertisers within the health industry on the Net, behind weight-loss marketers, according to researcher Nielsen/NetRatings. The health market made up about 5 percent of the total online ad sales in October, Nielsen reported.

Demand is there, too. As drug prices rise, many people are turning to Internet stores to buy less-expensive alternatives from abroad. Officials say that the trade of unlicensed prescription drug sales online will be worth between $800 million and $1 billion this year.

Regulators are beginning to crack down. Following a complaint from the Food and Drug Administration, a federal judge in Tulsa, Okla., shuttered Rx Depot, a Web site that sold low-cost prescription drugs from Canada.

Rx Depot could not immediately be reached for comment. In a message posted on its Web site, the company said it plans to appeal the decision.

Richard Cleland, the FTC's assistant director for the division of advertising practices, acknowledged that there are some legal gray areas concerning the reimportation of drugs from licensed Canadian dealers. But he said he believes a substantial portion of online drug sales likely violate some aspect of U.S. law.

Search engines that run ads for distributors that are deemed illegal could put themselves in legal jeopardy, he added.

"I'm not convinced that they won't (face private lawsuits) if some minor purchases a controlled substance through facilities based on ads they've allowed to run," Cleland said.

In recent months, the battle against unlicensed online prescription drug distributors has widened to include online marketing campaigns that promote such sites, rather than just the distributors themselves, which are frequently beyond the easy reach of the U.S. legal system.

Those efforts come as Google is reportedly preparing for an initial public offering that is expected to value the company at more than $15 billion, due in part to profits earned on its growing keyword advertising business.

A Google search on the term "Vicodin" by CNET News.com on Friday revealed 10 sponsored results for distributors that do not apparently require buyers to provide prescriptions.

Google spokesman David Krane said the company's policy is to accept ads only from pharmacies that require customers to provide appropriate evidence of authorization, such as a doctor's prescription or consultation, before fulfilling orders.


"We have a large advertiser base that is constantly changing," he said. "When we're made aware that a company is violating our terms of service we take appropriate action."

Krane said Google is exploring the adoption of more stringent measures, including limiting sales of pharmaceutical ads to VIPPs-certified companies, among other options.

Slippery boundaries
But Google must consider its audience beyond the United States, Krane added, given that a large portion of its traffic originates overseas, where laws may be different. The company wants to provide the broadest set of commercial options to advertisers and visitors, he said.

The nuances of keyword advertising are also hard to police. By disabling keyword advertising on the term "Vicodin," for example, Google could be restricting an organization that wants to promote a Vicodin addiction recovery program, Krane said.

NABP has itself purchased advertising tied to the term "Vicodin" on Google, sponsoring an ad warning consumers about the dangers of ordering drugs online.

Drugstore.com is also a major Google advertiser, and would likely benefit from a reduction in the number of advertisers competing for keywords through lowering its own advertising costs. Drugstore.com's Conner said the company did not expect to increase sales through this effort, however, since it already requires customers to produce a prescription for the drugs they buy.

Drugstore.com has also contacted AOL about the issue. The online giant licenses Web search and sponsored search results from Google, and ads for unlicensed pharmacies have appeared within AOL search results in the past, according to NABP.

AOL spokesman Andrew Weinstein said the company's advertising practices are in line with policies advocated by Drugstore.com and the NABP, as a matter of long-standing policy.

"We do not accept ads from any offshore pharmaceutical companies. We only accept ads from pharmacies accredited by VIPPS," Weinstein said. "We work with search partner Google to try to ensure that all the search links, the sponsored search links, are in line with that standard. I say 'try' because occasionally things slip through and we try to bring them down right away."

Overture, the commercial search arm of Yahoo, is evaluating its options in the arena of pharmaceutical advertising.

"We are currently evaluating a third-party program to help identify legitimate online pharmacy advertisers that are appropriate for Overture's marketplace. In addition, we are continuing to explore other alternatives to help us achieve this goal," Overture said in a statement.

Lisa Gurry, MSN group product manager, said that the Microsoft unit is "working closely with our top partner for paid search ads, Overture, and others in the industry to ensure any concerns regarding online pharmacies are addressed."
*******************************
CNET News.com
California voting machine called into question
Last modified: November 4, 2003, 4:59 PM PST
By Paul Festa

As voters in California go to the polls, the state is launching an investigation into alleged illegal tampering with electronic voting machines in a San Francisco Bay Area county.

The voting machine fracas involves Diebold Election Systems, a North Canton, Ohio-based company whose machines are in use by four of California's 58 counties--Alameda, Plumas, Riverside and Shasta--and will be used by three more next year: Kern, San Joaquin and Solano.

The Voting Systems Panel, an advisory committee to Secretary of State Kevin Shelley, was widely expected to certify Diebold's new model, the AccuVote-TSx, on Monday. The model currently in use by California counties and elsewhere is the AccuVote-TS, which at 50 pounds weighs about twice as much as the one under consideration and incurs additional transport and security costs as a result.

But at the meeting, a panel member raised allegations that Diebold had inserted software into Alameda's machines--software that the state had not certified. If true, that would violate California election law, according to the secretary of state.

"There were allegations that uncertified software may have been installed in California inappropriately, and we're looking into it," said Doug Snow, a spokesman for Shelley. "Our elections officials are examining this. In California, the law requires notification to the state when there are these software upgrades."

Diebold did not return calls seeking comment.

Controversy has crept up repeatedly on the company this year as the debate heightens over the security and reliability of touch-screen voting. The company boasts 33,000 machines in the United States.

In July, computer security experts from Johns Hopkins University and Rice University failed the company's machines on a security audit. The company has been pursuing legal action against two Swarthmore students, among other people, who have posted to the Web the company's internal e-mail correspondence, which also calls into question the quality of the company's product.

In addition, the company and its chief executive, Walden O'Dell, have come under fire for partisan donations and remarks. Diebold donated at least $195,000 to the Republican Party between 2000 and 2002, and O'Dell once pledged to "deliver" Ohio's electoral votes for President Bush.

Meanwhile, California counties are under the gun to modernize their voting equipment. Nine counties still use the type of punch card machines that proved notoriously inexact in the 2000 presidential election. The state will decertify those machines in March.

The panel voted to table certification of the new machines indefinitely, pending the investigation into the software upgrade in Alameda.

One person familiar with the panel's action pointed out that the software upgrade in question had already earned its federal certification, and called the issue more procedural than substantive.

But elections watchdogs called that a distinction without a difference.

"Even if the software in question did go through federal testing, that doesn't change the fact that Diebold violated the state's certification laws," said Kim Alexander, founder and president of the California Voter Foundation. "It's the law in California that any system used in an election has to be certified. And when it comes to certification, the procedures are substantive."

The Alameda County Registrar of Voters did not return calls seeking comment.
*******************************
Government Executive
November 10, 2003
Latest anthrax scare brings call for better bioterror technology
By Chris Strohm
cstrohm@xxxxxxxxxxx

The Postal Service reacted appropriately in response to an anthrax scare last week at a mail facility in Washington, but the incident illustrates the need for better bioterrorism technology, federal officials said Monday.


Del. Eleanor Holmes Norton, D-D.C., said the Postal Service had no choice but to close 11 mail facilities last Thursday when preliminary tests on an air sample from the Naval Consolidated Mail Facility in Southeast D.C. indicated possible anthrax contamination. Most mail handled at the Navy facility also passes through the V Street N.E. Post Office, which serves federal agencies.


In the fall of 2001, five people in Connecticut, Florida, New York and Washington were killed and 13 others sickened when anthrax-laced letters were sent to two U.S. senators and a number of media outlets.


"I think the postal service is erring toward overreaction rather than caution, and I can't blame them," Norton said. "I think that until we get better bioterrorism protection, they are put in the position of having to shut down facilities when the odds are very much against the discovery of a harmful substance."


Tests at the Naval Medical Research Center in Silver Spring, Md., over the weekend were negative for anthrax, said Navy spokesman Lt. Mike Kafka. By Monday, the closed mail facilities were reopened and more than 1,000 postal employees returned to work.


After the 2001 anthrax attacks, postal officials came under fire from employees and others for failing to shut down the Washington processing plant that handled the anthrax-tainted letters. The letters were processed at the Brentwood postal facility, renamed the Joseph Curseen Jr. and Thomas Morris Jr. Processing and Distribution Center, in honor of two postal employees who died from anthrax exposure. In October, Brentwood Exposed, a group of Washington-area postal workers, filed a class action lawsuit over the incident.

The deaths led postal officials to adopt new mail-handling procedures at government postal facilities in Washington, including irradiating mail to render anthrax spores harmless.


"I think that this past week was a testament that those systems do work and they are in place to protect not only the postal workers, but those who receive mail from those facilities," said Kafka.


Sally Davidow, spokeswoman for the American Postal Workers Union, said the Postal Service handled the situation appropriately. She said communication with postal workers has gone through "ups and downs since 2001" but was good last week.


"I think in this incident that things were handled well," she said. "We certainly supported the Postal Service's decision to close the 11 offices as a precautionary move while the tests were being done."


Sen. Susan Collins, R-Maine, chairwoman of the Senate Governmental Affairs Committee, which has oversight over the Postal Service and the Homeland Security Department, agreed with Norton that better technology is needed.


"Unfortunately, this incident also shows how vulnerable we still are to bioterrorist attacks," Collins said Friday. "Now, more than ever, it is essential that we work to fill the gaps in our nation's defense and surveillance systems against bioterrorism."


Postal Service spokesman Bob Anderson said the agency plans in March to install new biohazard detection systems at 282 major processing and distribution centers across the country. The new systems will scan mail that is collected from drop boxes for possible contamination, Anderson said. All mail destined for federal agencies in Washington will continue to be irradiated.


However, if federal agencies and private companies want protection beyond what the Postal Service is doing, they need to invest in new technology themselves, Anderson said.


Overall, the anthrax scare last week did not cause significant disruptions to the federal government, a General Services Administration spokeswoman said. She said mail collection and delivery was stopped for Friday only, and returned to normal on Monday.
*******************************
Associated French Press
Singapore toughens laws to combat cyber terrorists
Tue Nov 11,12:48 AM ET

SINGAPORE, (AFP) - Singapore has introduced tough new laws that allow authorities to take action against "cyber terrorists" before they strike.


The Straits Times daily said changes to the Computer Misuse Act, which passed through parliament on Monday, allowed for "pre-emptive action" against hackers.


Under the old law, authorities could only act after a hacker committed a crime. Hackers face a maximum three years in jail or a fine of up to 10,000 Singapore dollars (5,750 US dollars).


Senior Minister of State for Law and Home Affairs, Ho Peng Kee, told parliament the new laws were prompted by a rising threat from cyber terrorism.


"Instead of a backpack of explosives, a terrorist can create just as much devastation by sending a carefully engineered packet of data into the computer systems which control the network for essential services," Ho said.


The new laws have raised concerns that they give authorities too much power and could be open to abuse.


One member of parliament dubbed it the Internet version of the Singapore's Internal Security Act that allows people to be jailed without trial.


The new laws did not specify what measures the government could take to find and act against potential hackers.


Ho said people should rely on the professionalism and integrity of authorities not to abuse the new laws, according to the Today paper.


"The powers will be invoked only to avert threats that may endanger national security, essential services such as any service directly related to communications infrastructure, banking and finance, and defence and foreign relations of Singapore," Ho said.*******************************
Australian IT
Alleged MP3 pirates 'should be jailed'
Adam Joyce
NOVEMBER 11, 2003 
 
TWO university students who ran a website offering almost 1,000 pirated songs for download should be jailed, a Sydney court has been told.

The Commonwealth Director of Public Prosecutions (DPP) today told the Downing Centre Local Court that Charles Kok Hau Ng, 20, and Peter Tran, 19, should be jailed for their involvement in Australia's largest copyright infringement case.
The Australian Federal Police (AFP) previously estimated the duo's pirated music operation, providing a hub for the large scale exchange of music files, cost the industry more than $60 million.

Ng, from Blacktown, and Tran, from Canley Heights, have no previous convictions and did not profit from their website, MP3/WMA Land, the court heard today.

But Paul Roberts, SC, acting for the DPP, told Deputy Chief Magistrate Graeme Henson that the offences committed by Ng and Tran involved "large scale infringements" of copyright over at least 16 months.

He said the "great deal of effort" involved in running the website, which received an estimated seven million hits, made the pair more culpable than a third co-offender, 21-year-old Tommy Le.

"It's the submission of the Director of Public Prosecutions that despite the fact that these two offenders were not involved in infringing copyright for commercial gain ... your Worship should impose custodial sentences on both offenders," Mr Roberts said.

Anything other than full-time jail "would not be appropriate" for Ng, who founded and maintained the website, Mr Roberts told the court in his submission.

Ng, a third-year University of NSW student, pleaded guilty to 22 charges of distributing and aiding and abetting the distribution of copyrighted material.

Tran, a University of Technology, Sydney (UTS) student and co-webmaster, pleaded guilty to 17 copyright charges.

He had more than 1,800 MP3 files on his computer when it was seized by AFP officer, and uploaded at least 58 copyrighted albums to the website.

Le, a UTS student from Punchbowl known online as "DJ Ace", mixed copyrighted music on turntables to create albums which he sent to Ng to be uploaded to the internet.

He also burnt the compilations onto CDs for distribution to friends and some Sydney club owners.

Le pleaded guilty to 29 less serious copyright charges and also had his own website featuring his mixed music.

Ng and Tran described their website as the "coolest MP3 and Windows Media Audio (WMA) site on the net".

Files could be searched and downloaded as singles or complete albums, and some songs were available before they had been officially released in Australia.

Ng told police he established the music download website "to help people out and not to profit", the court was told today.

The men face up to five years' jail and a $60,500 fine for each offence.

All three men remain on bail and will be sentenced next Tuesday.
*******************************
Australian IT
The year ahead for viruses and worms
Chris Jenkins
NOVEMBER 11, 2003 
 
AFTER the busiest year ever in internet security, experts warn 2004 could be twice as intense.

Symantec senior director of security response Vincent Weafer told a Sydney conference the pattern of attacks in 2004 will follow the trend set in 2003, with a major attack every few months.
While mass-mailer attacks still would be the most common, hackers would be looking for more ways to attack a machine, including instant messaging applications, he said.

"From an IT point of view they (IT managers) are going to have to start watching all the protocols and all the avenues," he said.

Increasing adoption of Linux by home and corporate users could see it emerge as a greater target for attack in the next one to three years, Mr Weafer said.

The number of viruses present in Australia over the past few years has remained constant at between 40 and 55, McAfee security fellow Jimmy Kuo told the Association of Anti-Virus Researchers Asia (AVAR) conference.

The stability reflected Australia's relatively high proportion of dial-up internet users.

However, the increase in broadband use in Australia could almost double the number of viruses resident in Australian systems to between 80 and 90 by the end of next year, he said.

The total worldwide cost of viruses, worms and other security problems amounted to $US45 billion in 2002, former White House adviser and chairman of Good Harbour Consulting, Richard Clarke, told the conference in a pre-recorded address.

The 2003 cost will be much higher, with estimates putting the bill for August alone at $US38 billion ($54 billion).

Current estimates put the total cost for 2003 at between $US119 billion and $US145 billion, he said.

"Things are getting worse. The rates are up, the things that are being hit in the private sector are getting more critical and the damage is far more than it was just a few years ago," he said.

The "next wave" of worms and viruses could carry far more damaging payloads, he said.

The threat of a "zero day attack" - where a hacker exploits a vulnerability that had not previously been discovered and patched - was also growing.

Response windows for announced vulnerabilities were also shrinking, with hackers now able to exploit vulnerabilities in as little as six hours.

The speed with which worms themselves propagated would only increase in the coming year, AUSCERT general manager Graham Ingram said. Increasingly harassed by international legislation, spammers could also turn to worms to do some of their work for them. He said this could be part of a larger trend towards more sinister worms.
*******************************
Federal Computer Week
Jury still out on e-voting
Touted as an antidote to the hanging chad, e-voting solution not proven, experts say
BY MICHAEL HARDY
Nov. 10, 2003

Three years after the Florida election results debacle, electronic voting machines remain largely untested and controversial.

Legislation that could add voter-verified paper ballots to controversial touch-screen electronic voting machines remains stalled in a House committee, despite 61 cosponsors.

More and more election authorities are buying the machines, which are made by several companies. They are spurred by the Help America Vote Act of 2002 (HAVA). The law provides funding to replace outdated punch card and lever systems in an effort to avoid repeating the Florida chad controversy that kept the 2000 presidential election in limbo for weeks.

Touch-screen machine glitches caused some problems in the Nov. 4 elections. In Virginia, the Fairfax County Republican Committee filed a suit Nov. 4 challenging the validity of some votes after several malfunctioning machines were taken away from polling places for repairs while the election was under way.

Nine machines were taken out of their polling places, repaired and returned, said Judy Flaig, Fairfax County election manager. "No votes were lost," she said.

Eddie Page, chair of the county Republican group, said the challenge wasn't about the technology. "Voting machines were removed from the ballot house," he said. "It has nothing to do with the hardware at this point." Advanced Voting Solutions Inc. of Frisco, Texas, made the machines.

However, critics of the electronic systems say that voters using them have no way to verify that their votes are being recorded and counted accurately.

In addition, some computer scientists believe that at least one company's software contains security flaws that could allow vote tampering, based on research led by Aviel Rubin, an associate professor of computer science and technical director of the Johns Hopkins University Information Security Institute in Baltimore.

Officials at the company, Diebold Inc. subsidiary Diebold Election Systems, dispute those claims and say the scientists used an early version of the code and made faulty assumptions about election procedures. Diebold officials, however, did not respond to repeated requests for interviews.

The legislation, called the Voter Confidence and Increased Accessibility Act of 2003, introduced by Rep. Rush Holt (D-N.J.) in May, would require that the machines, generically called direct recording electronic (DRE) machines, print out a paper record of each vote so the voter can make sure it is correct. The printed ballot would be stored at the polling place and used if a manual recount or an audit of the results is needed.

Although the bill has attracted 61 cosponsors  all Democrats  it is still in the House Administration Committee. The bill has yet to attract any Republican support, according to Holt's staff.

"HAVA is fueling a rush by some states to buy computerized voting machines that have serious defects," Holt said in a statement. "Unless Congress acts to pass legislation that would ensure that all computerized voting machines have a paper record that voters can verify when they cast their ballots, voters and election officials will have no way of knowing if the machines are counting votes properly."

Paper records introduce their own problems, Flaig said. "The problem we have is who verifies the voter?" she said. Voters who wanted to create chaos could falsely claim the paper record did not accurately reflect their votes. "And we couldn't prove it at all," she said. "At some point, you've got to trust the system."

Holt introduced his bill as concern over so-called black box voting was building. In July, the Johns Hopkins team fanned the flames with the results of their analysis of Diebold AccuVote-TS code, obtained from an unofficial Web site. Maryland officials, who were close to finalizing a $55 million purchase of machines to use statewide, asked Science Applications International Corp. to perform a second analysis.

SAIC officials confirmed that the Hopkins researchers had analyzed the code properly, but said that many of the risks could be avoided or minimized by not connecting the machines to a network and by implementing security protocols and processes for election officials and poll workers.

SAIC's report, dated Sept. 2, echoed Diebold's criticism. "While many of the statements made by Mr. Rubin were technically correct, it is clear that Mr. Rubin did not have a complete understanding of the state of Maryland's implementation of the system and the election process controls or environment, [which] reduce or eliminate many of the vulnerabilities identified in the Rubin report," the SAIC report states.

Ultimately, Maryland officials completed the purchase, accepting 12 of SAIC's 17 recommendations. Diebold officials agreed to make three software changes to increase security but only for machines sold in Maryland.

The recommendations included steps to make the machines more secure and to raise the awareness of election officials. State officials agreed, among other things, to bring the system into compliance with the state's Information Security Policy, to implement a formal and documented system security plan, to change default passwords printed in Diebold's documentation and to review any changes to the system through a formal risk assessment process.

The Hopkins team suggested that unscrupulous voters or poll workers could forge the smart cards that citizens use to cast their votes, thereby allowing multiple votes. The team also reported that if election results were transmitted via the Internet from polling places to a central office, they could be intercepted and altered en route.

In addition, someone within Diebold could add malicious code to the system that would open a door for exploitation on election day, they said.

Diebold officials, in a written rebuttal to the report, disputed all of those assertions.

"There are some [issues] that could be solved relatively easily, some that would take a lot of effort and some that we don't think are solvable," Rubin said. "A lot of things that they need to fix, they don't have the talent for."

Unlike the Hopkins team, the SAIC researchers examined the machines themselves, said Benjamin Haddad, SAIC's senior vice president. "It was an analysis of the Maryland systems. They have the Johns Hopkins report available to them, but the analysis was of the machines," he said.

Although the SAIC researchers agreed that many of the fears the Hopkins team raised were unlikely to threaten a real election's integrity, they did not give the system a pass and emphasized the need for meticulous security safeguards.

"The system, as implemented in policy, procedure and technology, is at high risk of compromise," the report said.

The debate is a healthy one for the electronic voting industry, said Aldo Tesi, president and chief executive officer of Election Systems & Software Inc., a Diebold competitor in Omaha, Neb. However, he said, election procedures and the realities of the polling place do contribute to the integrity of the process.

"What we've had to do is educate those who are not so close to our products about the features that are already in there, and the procedures that must surround those features," said Ken Carbullido, ES&S' vice president of software engineering. "There is so much in there that the public doesn't know behind the scenes that makes it much more secure than people realize."

Many critics of DRE machines argue that until the security of the systems can be established beyond doubt, paper records should be mandatory. "It ought not be up to people like the Johns Hopkins guys to prove the equipment is insecure," said David Dill, professor of computer science at Stanford University. "The vendors should be made to prove they are secure."

Dan Wallach, assistant professor of computer science at Rice University and one of Rubin's team members, said poll workers and local election officials should not be required to prove the system is working because they are not technology experts

In Maryland, for example, Diebold officials agreed to change the system to encrypt the electronic transmission of election results and provide personal identification numbers for election officials so the system can log the identities of those accessing it.

The state also will establish a formal process for the review of audit trails and provide information security awareness and training for people who have access to the systems.

"The state of Maryland is requiring very, very small changes to Diebold's source code and putting all the onus on poll workers, which is very, very difficult and is not good enough," Wallach said.

Kim Zetter, a reporter for Wired News who has been following the issue, tested the notion that trained poll workers are the real defense against fraud during the October recall election in California. Observing a training session in Alameda County, she found apparent lapses in procedures, she said.

"The registrar of voters of Alameda County assured me that despite what was raised in that report, Alameda County was safe because they had procedures in place that would prevent" any problems, Zetter said.

"I was a bit amazed at not only the lack of security, but also their cavalier attitude about the lack of security," she said. "It didn't seem to register with them the things I raised to them. They didn't ask for my ID. They never asked anyone for ID."

Poll workers get keys to the machines and the buildings they are stored in several days before the election, Zetter said. The same key will open all the machines in the voting precinct  and possibly the whole county  giving any one person access to multiple machines, she said.

"No one seems to be addressing security issues because they don't expect anybody to do anything," Zetter said.

Some DRE critics point to optical scan devices as a better computer technology, because the voter fills out a paper ballot that the scanner then reads. Such systems combine the benefits of rapid and accurate vote tallying with the security of a paper audit trail to check in case of a dispute, they say.

Tesi said ES&S would be willing to add a paper record capability to its touch-screen machines if buyers want it.

Skepticism about the machines hurts the election process, Flaig said. "It's gotten to the point now, after Florida, where everybody who loses a race wants to go to the courts and find a way to change it," she said. "Nobody loses anymore because they didn't get as many votes. It's always because somebody tampered with something. Maybe the other candidate had a better message."

"I think we need an election system that doesn't depend on the technology," Dill said. "You can't make an ordinary computer secure enough to deal with voting without a backup system. Voting is a hard problem. People want to steal elections. Elections are a matter of national security. I don't think it's really doable right now."

***

Covering the bases

Maryland leaders decided to implement 12 measures that Science Applications International Corp. officials recommended to minimize the risk of electronic voting data being compromised.

Here is a sampling of what they agreed to:

* Bring Diebold Inc.'s AccuVote-TS voting system into compliance with Maryland's information security policy and standards.

* Consider creating a chief information systems security officer position at the Board of Elections.

* Implement a formal, documented, complete, and integrated set of standard policies and procedures.

* Apply cryptographic protocols to protect the transmission of vote tallies.

* Require 100 percent verification of unofficial election results.

* Establish a formal process requiring the review of audit trails.

* Provide formal information security awareness, training and education appropriate to each user's level of access.
*******************************
Federal Computer Week
No need to rush
Nov. 10, 2003

The prospect of hanging chads may cast a shadow on next year's presidential elections, yet the solution being considered by some states  electronic voting machines  could introduce new and equally troubling uncertainties into the voting process.

It's a healthy reminder about the problems that arise whenever agencies introduce technology into the field.

The latest generation of touch-screen systems, immediately familiar to people who use automated teller machines, could make it easier to design user-friendly ballots and avoid the problems that confounded voters in Florida during the 2000 presidential election. Such systems also should make it easier for states to tally and manage voting data.

But as election year approaches, some experts are raising questions about those systems that must be answered before states rush to embrace this technology.

As might be expected, the main concern is security. Is it possible for a hacker  or an election worker  to tamper with votes and alter election results? Such a concern is not unique to electronic voting, but the protocols used to minimize such risks in the past do not necessarily apply to the newest systems.

Proponents of electronic voting systems say any concerns can be addressed with a mix of technology and procedures. Such solutions, though, are contingent on election staff being trained to install, manage and operate those systems. However good the technology is, that contingency should convince states to take a slow and methodical approach to adopting new systems.

It's not just a question of the security of the systems, but the integrity of the vote. That makes it all the more puzzling that Congress would stall an effort to require electronic systems to generate a paper record that can reviewed by the voter and state officials. Such verification could play a vital role in inspiring voter confidence in the system.

In the long run, electronic voting systems are likely to emerge as the option of choice for many states. But people making that choice should make sure they have all the information they need before electing to make the switch.
*******************************
Federal Computer Week
Bias in the voting box?
BY Michael Hardy
Nov. 10, 2003

The controversy over Diebold Inc.'s subsidiary Diebold Election Systems touch screen voting machines has led to several allegations that various parties have conflicts of interest.

Aviel Rubin, the Johns Hopkins University computer science professor who led the initial research, served on the technical advisory board of VoteHere Inc. while he studied the Diebold source code. Rubin resigned the post in August and returned his stock options to the company. Rubin said it was never an active relationship, and that the university determined there was no conflict. However, he admitted in an August 17 statement that he should have disclosed the information when his team released its report.

Meanwhile, David Dill, a computer scientist at Stanford University who runs a Web site called www.verifiedvoting.org, in order to call attention to the issue, criticized a report that Science Applications International Corp. performed for the state of Maryland, sparked by the Rubin report. SAIC holds a standing contract to perform information technology analyses for the state when needed, and Dill said he believes their risk assessment downplayed weaknesses in the system out of deference to the Maryland governor's office, which was already contracted to buy the machines before ordering the report.

Benjamin Haddad, SAIC's senior vice president, fired back, saying it is Dill who is not being objective. "There is no validity to it. He has an agenda," Haddad said. "He's very active in pushing that point of view. Our people just do good, sound technical work." And Diebold Inc. CEO Walden O'Dell raised eyebrows in August, a month after the Rubin report, when he wrote a Republican fund raising letter pledging that he was "committed to helping Ohio deliver its electoral votes for the president next year." Diebold Inc. is based in Canton, Ohio.

By September, a chastened O'Dell told the Cleveland Plain Dealer, "I never imagined that people could say that just because you've got a political favorite that you might commit this treasonous felony atrocity to try to change the outcome of an election. I wouldn't and couldn't."

O'Dell emphasized to the newspaper that the election systems subsidiary is separate from the rest of the company and is based in Texas, run by its own executives and accounting for only $100 million of Diebold's $2.1 billion annual revenues.
*******************************
Government Computer News
11/10/03
Administration urges Senate to revisit cuts in tech

By Jason Miller
GCN Staff

As the Senate debates the Commerce, Justice and State fiscal 2004 appropriations bill, the Bush administration is pressing lawmakers to restore funding for the Office of Technology Policy in the Commerce Department and a variety of other technology initiatives.

The Senate Appropriations Committee has recommended distributing the funds for the office to other parts of the agency. Last year, the Technology Policy Office received $9.8 million. The House allocated $7.8 million for 2004 in its version of the appropriations bill.

Through a variety of programs and outreach efforts, the office?s responsibilities include promoting innovation, encouraging entrepreneurship, improving infrastructure and educating people through technology.

Administration officials, in a Statement of Administration Policy, also are threatening to recommend that the president veto the bill if it includes a provision prohibiting the Office of Justice Programs from using funds to compete federal jobs with the private sector under OMB Circular A-76. This provision and the subsequent administration veto threat have been in nearly every appropriation bill and statement of administration policy.

The administration is asking for better funding for an assortment of IT security and e-government initiatives in Commerce, and more funding for the Patent and Trademark?s technology projects. The Senate allocated $1.21 billion for the PTO, and the administration requested $1.39 billion.
*******************************
Washington Post
Consumers Can Move Home Numbers to Cells
By JONATHAN D. SALANT
The Associated Press
Tuesday, November 11, 2003; 10:36 AM

WASHINGTON - Consumers will be able to switch their home phone numbers to cellular phones later this month, thanks to new federal rules allowing them to drop conventional service and go wireless without the hassle of getting a new number.

The Federal Communications Commission rules released Monday also will allow a limited number of wireless customers to keep their numbers if they switch to traditional landline phones.

The FCC has already told cell phone users that they will be able to keep their phone numbers when they change wireless carriers.

The new rules take effect Nov. 24 in the largest metropolitan areas. They will apply to everyone else beginning May 24.

"This gives consumers much sought-after flexibility and it provides further competitive stimulus to telephone industry competition," Commissioner Michael Copps said. "This makes it a win-win situation for consumers and businesses alike."

As many as 7 million consumers use cell phones exclusively. Jeff Maszal, research director for The Management Network Group, an Overland Park, Kan.-based communications consulting firm, said an additional 19 million consumers are likely to drop their landlines for cell phones now that they can keep their home or business phone numbers.

The cellular industry praised the new rules.

"Competition has proven to be the strongest force for falling prices and increased innovation, and America's landline telephone customers will have choices like never before," said Steve Largent, the former Republican congressman from Oklahoma who now heads the Cellular Telecommunications and Internet Association.

But the association representing the local phone companies that dominate residential service, such as BellSouth and SBC Communications, said the new rules will allow wireless companies to take away their customers while restricting their ability to do the same to cell phone users.

"Instead of ensuring the benefits of a vibrant voice market, the FCC severely limited consumer choice by sharply reducing the ability of wireline providers to actively compete for customers," said Walter B. McCormick Jr., president of the U.S. Telecom Association.

The reason has to do with the different local service areas for wireless and landline companies. Under the FCC regulations, a phone customer can unplug a corded phone and transfer the number to a cell phone if the wireless company serves the same area. But a customer wishing to transfer a number from a cell phone to a landline can only do that if the exchange - the three digits following the area code - falls within the same geographic area, known as a "rate center," in which the house or business is located.

As a result, local phone companies will be able to go after only about an eighth of cell phone customers, while the wireless industry has no similar restrictions, BellSouth spokesman Bill McCloskey said.

Commissioners acknowledged the inequities, but said the chance to inject competition into the local phone market could not be passed up.

"Although, in the short term, wireline carriers will have more limited opportunities to benefit, ... I was simply not willing to block consumers from taking advantage of the porting (switching) opportunities that are technically feasible today," Commissioner Kathleen Abernathy said.

Landline companies must transfer numbers within four business days. The FCC said it would look at whether to shorten the time.

Cell phone customers who want to switch wireless companies could have new service as quickly as 2 1/2 hours after the new carrier has contacted the old provider. The transfer will take longer if more than one line is involved.
*******************************
Washington Post
Britain Plans to Introduce Identity Cards
By MICHAEL McDONOUGH
The Associated Press
Tuesday, November 11, 2003; 10:32 AM


LONDON - The British government said Tuesday it wants to introduce compulsory identity cards to protect against illegal immigration, welfare fraud and terrorism - though implementation is years away.

Home Secretary David Blunkett said the government would introduce the scheme after building a national database of biometric information using fingerprints, iris scans and facial recognition technology.

"An ID card scheme will help tackle the crime and serious issues facing the U.K., particularly illegal working, immigration abuse, ID fraud, terrorism and organized crime," Blunkett said.

The Home Office said "using multiple identities is one of the most common practices of those involved in terrorist activity."

But the issue of identity cards has split Prime Minister Tony Blair's government, with some ministers reportedly claiming that they are too expensive and threaten civil liberties.

Britain has not had compulsory identity cards for ordinary citizens since shortly after World War II. Such ID cards are mandatory in several Western European countries, including Belgium and Germany.

Blair has endorsed the idea in principle, but his office last week said it would take years to resolve the many complex issues surrounding the plan.

Britain is already working on upgrading passports to include chips containing biometric data, and the UK Passport Service will soon begin a six-month biometric pilot to test face, iris and fingerprint capture and recognition technology, the Home Office said. It said officials also planned to use biometric technology for driving licenses.

The information would be used to compile a national database, the Home Office added.
*******************************
Mercury News
Posted on Mon, Nov. 10, 2003  
 
Touch screens worry voters
South Florida voter opinions reflect increasing national concern about the security of electronic voting and the desire for a paper record.
BY ERIKA BOLSTAD
Miami Herald

As voting reform sweeps the nation, its main mechanism -- the electronic voting machine -- is increasingly under fire.

Miami-Dade and Broward counties already are exploring ways to enhance voter confidence in the machines, and 25 percent of likely voters polled in Broward said they were ''not confident at all'' that the electronic system would accurately tally their vote.

While most people who had used the machines said they were ''very satisfied,'' more than half said it was important to have a paper record of their vote -- something that does not exist at present. The telephone survey was conducted last week for The Herald by Florida Voter.

''I think if people knew more about the potential problems associated with the machines, the number would actually be higher,'' said U.S. Rep. Robert Wexler, a Boca Raton Democrat who has been advocating paper records for the voting machines used in South Florida.

''When you vote on these machines, you have no idea whether your vote is being counted and tabulated properly,'' Wexler said. ``If something goes wrong, there is nothing that can be done. Your vote is lost.''

Manufacturers of voting system software and hardware vigorously defend the accuracy and security of their product.

''If we can trust memory cards to program aircraft, and we can trust memory cards to program satellites and the devices we use in surgery, why don't we trust the same memory devices in voting machines?'' asked Russ Klenet, a lobbyist for Election Systems & Software, the company that manufactured machines used in Miami-Dade and Broward counties.

Klenet points out that results are stored in three different places inside each machine, a redundancy designed to prevent errors.

Among the chief national critics of electronic voting is David Dill, a computer science professor at Stanford University.

Electronic voting is not only prone to errors and susceptible to fraud, but leaves no paper trail for a recount, Dill said.

And that seems to be the biggest obstacle to the faith of the voting flock.

Once the buttons are pushed, the screen is reviewed and the digital ''thank you'' is displayed, the voter walks away with nothing except a sticker from the poll worker.

''The machine could do something behind the scenes and no one would ever know,'' Dill said. ``Right now, the only option I really see is paper.''

What started as a fringe movement among computer scientists and community activists has entered mainstream discussions about elections.

Commissioners in Miami-Dade and Broward counties are exploring whether to attach printers to their existing iVotronic touch-screen voting machines. Reports outlining options are pending in both counties. Broward's is expected next week.

Both counties put the machines into use in 2002 when the state Legislature outlawed punch-card voting systems after the 2000 presidential recount.

`BILL OF GOODS'

''I think they got sold a bill of goods from the computer people,'' said Terry Low, a Republican voter from Weston who was unpleasantly startled by a recent magazine article about the technology.

``They went off and bought something without totally thinking it through.''

Some of the voter distrust in the equipment may be a product of the current leadership issues in the Broward elections office, said Jim Kane, lead pollster for Florida Voter and author of The Herald's poll.

Broward County Supervisor of Elections Miriam Oliphant had little support among 399 likely voters surveyed by Florida Voter Oct. 30 through Nov. 3. The poll has a margin of error of plus or minus 4.9 percent.

Of those surveyed, 84 percent said they would not vote to reelect Oliphant. Sixty percent said they felt the governor should suspend Oliphant.

CONFIDENCE SHAKEN

The 2000 presidential recount also shook the confidence of many, Kane said. Three years ago, the percentage who felt their votes weren't going to be counted would have been closer to 5 percent, not the 25 percent measured in this poll, Kane said.

''They're not trusting the office, and they want some kind of proof, a paper trail, simply because it validates their vote,'' said Broward County Mayor Diana Wasserman-Rubin.

Currently, no state has certified use of a printer, but if there is a clamor for the equipment, the companies will meet the demand, said Klenet, of Election Systems & Software.

But from California to Florida, many people are suspicious and more are confused about how the machines work and how they tally votes.

''We have gone from a totally transparent process to a totally opaque one,'' said Fort Lauderdale lawyer Sam Fields, who has criticized electronic voting equipment since Broward County started considering the purchase in late 2001.

Helping to fuel the controversy has been a Johns Hopkins University report that questioned the security of systems made by Diebold Election Systems. Many of the issues raised in that report related to ''smart cards'' inserted in voting machines by individual voters. The equipment used in South Florida uses a different system, controlled by poll workers, not voters.

Fueling the controversy was also a fundraising letter sent by Diebold's chief executive, Walden W. O'Dell. According to news reports, he wrote that he was ``committed to helping Ohio deliver its electoral votes to the president next year.''

WIDE SUPPORT

Still, electronic equipment is widely supported by election supervisors across the country, who swear by its accuracy and love the fact they don't have to spend thousands of dollars on paper ballots at each election. Florida elections officials recently issued a report affirming their support for the equipment.

The nation's largest voting jurisdiction, Los Angeles County, is gradually transitioning to electronic voting, said Conny McCormack, who oversees elections for the county's four million registered voters.

McCormack, who appeared on an election-reform edition of The Diane Rehm Show on National Public Radio last week, told listeners she fears the thought of printers at every precinct. We routinely see jam-ups in the grocery store register tape, McCormack said. Imagine that kind of trouble on Election Day.

''There's been no testing of any of this,'' McCormack said on the air. ``Now there's an attempt to legislate what hasn't even been invented yet.''

Oliphant has long been a critic of the ES&S machines the county purchased for her. Oliphant wanted the county to buy Sequoia machines, which are used by Palm Beach County.

OPTICAL SCANNING

But Oliphant said she's also vehemently opposed to optical scanning, a paper-based system. Some Broward County commissioners have suggested they sell off their $17.2 million inventory of machines and switch to the lower-tech equipment, which requires voters to fill in their choices with a pencil. The ballots are then scanned by a computer that reads the pencil marks and tabulates the results.

Last week, Broward County counted 14,752 mail-in ballots with the optical-scan equipment, which is used to count absentee ballots in regular elections.

''I would not recommend this countywide,'' Oliphant said Tuesday, while the votes were being counted. ``Optical scan has a lot of human error.''
*******************************
Mercury News
Posted on Thu, Nov. 06, 2003
SURE, IT SEEMS LIKE YOU VOTED, BUT WITHOUT A PAPER TRAIL . . .
Mercury News Editorial

Santa Clara County's touch-screen voting system passed its first big test Tuesday in an easy spin around the track.

There were no technical glitches -- at least none you could see; well-trained poll workers performed flawlessly, and voters, by and large, raved about a chad-less process that can be as easy as getting a fast $40 from an ATM.

Only about a third of the 5,500 machines that Sequoia Voting Systems is supplying the county were needed Tuesday.

Touch-screens are simple to use. But looks can deceive, since there's no way for voters to verify that the software inside the machine accurately recorded the candidates' names they pressed on the screen.

That's why it's encouraging that Sequoia has announced it will seek certification in January for a paper audit -- a feature that will produce a printout of the ballot for voters to inspect.

Touch-screens can be terrific. But without a paper trail, they're still just a shiny black box inviting error and fraud.
*******************************
Wired News
Suspect Code Used in State Votes 
By Kim Zetter
02:00 AM Nov. 06, 2003 PT

An investigation by California's secretary of state has revealed that Diebold Election Systems placed uncertified software on electronic voting machines in a California county.

Voters in Alameda County, a densely populated region in the San Francisco Bay Area that includes the cities of Berkeley and Oakland, used a Diebold touch-screen-voting system utilizing uncertified software in Tuesday's election and in last month's gubernatorial recall election.

Although the software was used in at least two elections, Doug Stone, spokesman for the secretary of state, said voters should not worry about the integrity of the election results. He said the state tested the software but did not elaborate on when that testing occurred.

Stone said his office learned late last week about the possibility that uncertified software may have been used in the machines. The state then launched an investigation into the matter and halted certification of the AccuVote-TSx, a newer model of Diebold's touch-screen machines, which were supposed to be used in California's primary election in March 2004.

Marc Carrel, assistant secretary of state, surprised Diebold representatives and others at a meeting of the state's voting systems panel Monday by announcing that his office had received "disconcerting information" about the company and would hold off certification until an investigation was completed.

The AccuVote-TSx is a modified version of AccuVote-TS, an electronic touch-screen machine that is used in Alameda and Plumas counties. Los Angeles County also uses a small number of the machines for votes cast prior to regular election days.

Diebold and state election officials say the TSx is lighter and more compact than the TS and includes minor software modifications from the previous version.

Alameda County purchased 4,000 touch-screen machines last year at a cost of $12 million.

Before a state can use a voting system, the software and hardware must be audited by an independent testing authority that examines the code according to certification standards set by the Federal Election Commission.

Once the independent authority certifies the system, states can then test and certify the systems for their polling places.

California election law requires voting companies to notify state officials when they make changes to software after certification has been completed. Secretary of state spokesman Stone said Diebold did not do this when it applied a "software upgrade" to systems in Alameda County.

He said the state's investigation of the Diebold machines is ongoing. Among the outstanding questions is when the uncertified software was placed on voting systems and in which elections it was used.

Stone said the state would be examining "corrective steps to come up with ways to ensure that these types of actions do not occur again."

He also said it was unclear whether any measures would be taken against Diebold for its actions since the matter is still under review. The state needs to evaluate the election law, he said, and investigate what happened with the software.

Alameda County election officials did not return calls for comment. But Elaine Ginnold, the county's assistant registrar of voters, told the Oakland Tribune that she had no idea the uncertified software was used. "We were upset, to say the least," she said.

The state's decision to delay certification of the new Diebold machines means that several California counties are waiting to hear whether they will be able to use them in the 2004 election.

San Joaquin County in Northern California has purchased 1,600 TSx machines at a cost of $5.7 million. The machines already have been delivered, but the county does not have to pay for them until they pass testing and state certification.

Solano County paid $4.6 million for 1,171 TSx machines. And San Diego County is currently in negotiations with Diebold to purchase 10,000 TSx machines at a cost of $30 million.

Critics say the incident in California highlights a number of security problems that have emerged since states began switching to electronic voting machines that use proprietary software created by private companies.

Voting companies and election officials insist that rigid certification procedures ensure the security of the machines.

But critics say the fact that Diebold could install uncertified software on machines without the state's knowledge suggests that current certification procedures cannot ensure the integrity of election systems or, for that matter, election results.

Kim Alexander, founder and president of the California Voter Foundation, said, "Voting companies and election officials who have embraced electronic voting say that certification procedures and testing are adequate to protect the integrity of the voting systems. But for a vendor to be accused of placing unauthorized software into a voting system undermines one of the prime arguments they have been making for the past year and brings into question the integrity of the entire voting system."

Voting-machine companies and state election officials say that individual states and counties provide enough protection of the systems to prevent anyone from tampering with them.

However, a Wired News investigation in Alameda County prior to last month's gubernatorial recall election revealed lax security measures.

This is not the first time Diebold has been accused of circumventing voting rules and procedures.

A former worker in the Diebold warehouse in Georgia has alleged that the company installed three uncertified software patches last year on 22,000 machines that it sold to Georgia for $56 million.

The employee, who worked as Diebold's deployment manager in its Georgia warehouse in July 2002, said workers installed three patches to fix malfunctioning machines before delivering them to Georgia counties. He said Diebold never notified state officials about the changes or submitted the patches for review and certification by an independent testing authority. A fourth patch that state contractors applied after the machines were delivered to the counties and shortly before the gubernatorial election in 2002 was passed through an independent testing authority, according to a state contractor.

Diebold did not return calls for comment.
*******************************