This blog post on freedom-to-tinker came up in my feed reader today: http://www.freedom-to-tinker.com/?p=1265
The post is an e-mail from a company that makes e-voting machines that is threatening legal action if their voting machine is analyzed and the results published.
What does everyone think of this?
I think that Sequoia may be shooting themselves in the foot on this one just like Diebold did. While it is understandable to want to protect intellectual property, I as a voter would never trust a voting system that had never been independently verified.
In my opinion it would be in the best interests of Sequoia to relieve the apprehensions of their costumers, the New Jersey election officials, by offering to work with Professors Felton and Appel to insure the security of their system. If Sequoia is not willing to do so, then the voting machines should be returned. Whether Sequoia likes it or not, their system is going to be analyzed one way or another, and it would be better for them if they were a willing participant in that process.
I completely agree with DavidJSH on this. Sequoia is well within their rights to deny unauthorized access to or reverse engineering of their systems. However, it would be best for them to comply with an organization that is attempting to discover potential security flaws to have them fixed. There will be groups that will attempt to find the security flaws with malicious intention and it would be best if these security flaws were known and resolved before that happened.
I’m going to have to disagree with Robert when he says
“Sequoia is well within their rights to deny unauthorized access to or reverse engineering of their systems. ”
If Sequoia still owns the machines and merely rents them to the state then you may be right on their option for “denying unauthorized access”.
However if they have been sold to the state, then the state has a right to use the machines as they see fit.
For example Ford or Toyota would not be have the option to say only I can use the system (drive the car) I bought from them. Once I buy the system, then I own it and choose who can use the system (car). However if I merely leased the vehicle, they could include in the lease terms that only I were allowed to drive, or even occupy, the vehicle, as they would still retain ownership.
Reverse engineering should fall under the same category. The only defense they can mount against reverse engineering is by patenting their system and even then it would only protect them from commercial reproduction of their system. It would not prevent anyone from testing the system for weaknesses.
Another auto example: Ford or Toyota would not be “well within their right” to stop the IIHS (insurance group) from crash testing their vehicles. This would test the system including all the hardware and software included in the system (vehicles). And yet they have no way to stop them from performing this test and publishing the test results.
Hmm, after reading the slashdot version, I’m not sure how much, if any, reverse engineering is taking place here. It’s more just looking at the output and being “something doesn’t add up here…literally.” I think the state asking Sequoia to check out the machine is more of a slap in the face than anything, like a “I think you guys need to take these more seriously” sort of thing.
In response to James’ comment:
I do not believe the car analogy completely holds here. While the Sequoia hardware may be owned by the user, the software is probably still property of Sequoia and therefore licensed under terms of a EULA to the end user. If the EULA prevents reverse engineering or tampering, then Sequoia are within their rights to deny access to their systems.
Also, car manufacturers have it in their best interest to work with the IIHS to help make a better product. It would also be in the best interest of Sequoia to work with a group to make a better and more secure product. Perhaps there should be similar agencies for electronic and software products.
I’m not in your course, but just an interesting thought to add. Why are elections being decided by what is effectively a black box system? The problem here isn’t that Sequoia is not allowing inspection after the fact (ok, yes, that is a problem, but rather it’s the wrong one), the problem is that the state didn’t demand, from the start, to be allowed to see what is going on during elections. As for whether the state should be allowed to examine the machines, DJB knows the legal better than I do http://cr.yp.to/softwarelaw.html
I would have to disagree with you Robert. While in a standard software agreement, the producer is within thier rights to restrict access to the source code. But these systems are what will be used to decide the future of this country and ultimately the world. Under any other circumstances, I would agree that the company (Sequoia) has the right to protect thier software from prying. In this case, the software should be deemed public domain. If sequoia is not willing to go along with that, they should enter a different market and leave the voting machine market to the open source community. IMO this is something our government should absolutely not be outsourcing.
Nate, Robert is talking about what is. You are talking about what ought to be.