South Carolina’s Democratic Primary: The Result of an E-Voting Malfunction?

Alvin Greene’s recent victory in South Carolina’s Democratic Senate primary has lots of people wondering how a relative unknown who did not campaign could win sixty percent of the vote against a four-term state senator. Although plenty of theories have surfaced—that it was because his name was first on the ballot, that his name reminded people of soul legend Al Green, that it was all a Republican plot—one possibility is harder to refute than it ought to be: problems with the electronic voting machines.

Greene’s primary opponent, Vic Rawl, has now publicly pointed a finger at the voting machines (by the way, if Alvin Greene got the Al Green votes, why didn’t Vic Rawl get the Lou Rawls votes? Someone needs to investigate this soul singer gap). Columbia’s WTLX.com quotes Rawl as saying, “It appears to me that we have some sort of either machine malfunction or software malfunction.” Rawls also said he had no idea whether the malfunction was accidental or intentional. South Carolina’s election commission responded that it was “confident in the accuracy and reliability” of the voting machines.

It’s hard to know if that confidence is well-placed, however. South Carolina uses ES&S iVotronic voting machines, which have a history of accuracy and reliability issues. Newer versions support voter-verified paper audit trail, but it’s unclear whether South Carolina uses that feature. The elections commission said that every vote was recorded and left a paper trail, but its web page describing the process of voting with the machines says nothing about the voter verifying his or her vote against a paper record. The “paper trail” the commission talks about could be a paper record of every vote that was cast, verified by each voter; or it could be summary totals. It’s hard to tell from news reports.

If there is a good, voter-verified paper trail, machine malfunction (or tampering) is relatively easy to detect and correct. Just count the paper ballots. If there is no paper trail, or if the “paper trail” is merely a set of summary statistics, it’s impossible to know if the result is accurate.

Minnesota is one of twenty-two states that require voter-verifiable paper ballots. South Carolina is not. Minnesota law requires more than just a paper trail, however. By statute, all voting systems purchased after 2005 must be paper-based. According to that statute, voting machines must either scan marked paper ballots, or assist voters in marking those paper ballots.

If the Greene-Rawl primary had been held in Minnesota, the voting machines could quickly be eliminated as a source of the unexpected result. As it is, it may be impossible to know if Mr. Greene’s primary victory was influenced by voting machine irregularities.

Published in: on June 15, 2010 at 10:43 pm  Leave a Comment  

Privacy Seal Provider ControlScan Settles FTC Charges

The FTC announced on Thursday that it had reached a settlement with ControlScan, a provider of so-called “privacy seals”—those small-ish images certifying a website’s security or privacy practices.

The FTC charged that ControlScan had “misled consumers about how often it monitored the sites and the steps it took to verify their privacy and security practices.” Although the seals claimed that ControlScan had verified the site’s privacy practices, ControlScan did “little or no verification” of those practices, according to the FTC. The FTC also took issue with the fact that the seals had current date stamps even though ControlScan did no daily reviews.

The settlement agreement required ControlScan’s former CEO to give up $102,000 in profits. It also suspended a $750,000 penalty against the company for inability to pay.

It’s uncertain whether privacy or security seals mean much. Even when providers scan daily, how much assurance can one expect for $71.50 per month? McAfee, the big player in the market after it bought (and renamed) the “HackerSafe” seal, had its own bit of bad press a couple of years ago when it turned out that several “Hacker Safe” sites were vulnerable to cross-site scripting attacks.

Even though ControlScan appears to have been in a different category than legitimate privacy seal vendors, the FTC settlement highlights a classic reputation problem with these seals. The seals look like they mean something, but the only way to know for sure is to check the seal provider’s practices—which undermines the point of the badge in the first place.

Published in: on February 27, 2010 at 2:36 pm  Comments (1)  

U.S. Supreme Court to Hear Government Employer Privacy Case

The U.S. Supreme Court has granted certiorari in City of Ontario v. Quon. That’s the new name for Quon v. Arch Wireless Operating Company, the Ninth Circuit case that found that a police officer had a reasonable expectation of privacy in his text pager messages.

This should be an interesting case to watch. For a discussion of how this case might affect privacy for government employees, see Orin Kerr’s post over at the Volokh Conspiracy.

Published in: on December 15, 2009 at 11:38 am  Leave a Comment  

Cost of Disclosing 179 Social Security Numbers in a Court Filing: $5000

Here’s a new way of holding someone directly liable for a data breach. A Minnesota attorney was fined $5000 for filing a federal court document containing the social security numbers and birth dates of 179 people. Court filings are public, which is why Federal Rule of Civil Procedure 5.2(a) says that a court filing may only contain the year of birth or last four digits of a social security number. As Judge Davis wrote in his order:

The Court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents. Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow federal and local rules.

Published in: on October 23, 2009 at 10:04 pm  Leave a Comment  

Ninth Circuit Adopts Plain-Language View of “Authorization” in CFAA Decision

The Computer Fraud and Abuse Act (CFAA) creates criminal penalties for doing various bad things by intentionally accessing a computer without authorization or by exceeding authorized access. There’s been a some debate recently over just what “authorization” means. For example, one of the issues in the Lori Drew case was whether Drew had exceeded authorized access, and thus committed a federal crime, by violating MySpace’s terms of service. Another frequent issue comes up in employment contexts: is it unauthorized access to use company computers for purposes other than those intended?

For example, suppose an employee has access to an employer’s computers for regular business purposes, but e-mails confidential data to an outside account. Later, he leaves the company and uses that confidential data to set up a competing business. Did the employee access that confidential data without authorization? The simple answer would be “no”: he had an account, he was allowed to use it, that permission had not been revoked, so any access was authorized.

The Ninth Circuit Court of Appeals recently adopted essentially this definition. LVRC Holdings, LLC v. Brekka said that such conduct is not unauthorized for purposes of the CFAA. The court looked at the language of the statute and a dictionary, and held that an employee has authorization to access a computer when the employer has given permission to use it. Because Brekka’s permission to use the computer had not been revoked when he accessed and mailed data to an outside account, the court held that his access was not unauthorized.

The Ninth Circuit rejected the agency-law analysis from a 2006 Seventh Circuit decision, International Airport Centers, LLC v. Citrin. That case had held that an employee’s authorization to access a computer ended the moment he breached his duty of loyalty to his employer—in that case, by wiping data from a laptop to hide evidence of misconduct. But in LVRC, the Ninth Circuit stuck to the text of the CFAA, noting that the CFAA is a criminal statute and should be interpreted in favor of lenience. Because the Ninth Circuit could find no agency law principles in the text of the CFAA, it held that a person uses a computer without authorization “when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”

An aspect of this case that might be of interest to employers is that Brekka did not have a written employment agreement and LVRC had no policies against e-mailing documents to outside accounts. Such a policy would presumably have made Brekka’s actions unauthorized. But it’s hard to write policies that cover every single thing an employee is not allowed to do. If a company wrote a policy that “employees are only authorized to use company computers to the extent that such use is consistent with company interests,” would that create the Seventh Circuit agency-law definition of unauthorized access? It seems like it might, but, as always, This Is Not Legal Advice.

Published in: on September 30, 2009 at 5:34 pm  Leave a Comment  
« Older Entries