Not Quite a Blog 2.0

I’m here this morning to warn that, whatever gloss might be put on it, the so-called “compromise” on immunity for phone companies that broke the law is anything but a compromise, and that Congress appears poised to needlessly toss the rule of law out the window and deprive these millions of ordinary Americans of their day in court. My one simple message is that no matter how they spin it, this is still immunity, period.

Indeed, there’s an easy litmus test that everyone can use when evaluating this proposal or any other: does it allow the court to rule on the legality of the surveillance? That is, does it allow the plaintiffs to obtain a public decision on whether the companies broke the law, and if they did, to get an injunction to stop them from breaking the law again? If the answer is “no”, then it’s still immunity, plain and simple.

The EFF's Kevin Bankston in a prepared statement. (emphasis mine)

(Press Release: EFF Speaks Out Against Telecom Immunity Deal)

ACLU of New Jersey has submitted an amicus brief (1.5MB PDF) in the Gusciora case, being litigated by Penny Venetis and her team at Rutgers' Constitutional Law Clinic. The brief challenges a gag order issued by the Judge based on the implications of the Judge's order with respect to 1) the first amendment rights of the experts in the case and the public; and 2) the lack of showing of good cause in restricting dissemination of results from the experts' testing.

I haven't seen the full protective order, but the two paragraphs at issue here are troubling. I can't imagine any expert that could agree to those terms that also hopes to be available for such work during the next few years (while the case makes its way through the courts). For academics that work in this field, the order is even worse in the sense that one couldn't discuss any aspect of their findings and could even be chilled in discussing findings from other studies.

One thing that gets me is the continual use (in all areas of voting technology) of the terms "proprietary information" and "confidential information". Let's be clear here: the only types of information that could be compromised by disclosure are trade secrets and confidential personal information. Any other term is just not acceptable: the other forms of intellectual property---copyright, trademark and patent rights---would not be implicated by disclosure of the information; that is, the vendor would still be able to enforce those rights. And any confidential information that is not personal information is a trade secret.

Vendors in voting systems have been getting a "pass" on the issue of trade secrecy for too long. In other contexts, trade secrets are things that one can point to and identify (e.g., the recipe for Coca-Cola). Vendors of voting technology have been able to point vaguely at their hardware, software and documentation and say, "There's trade secrets there." Undoubtedly there are. However, we need a mechanism by which vendors can positively identify trade secrets... or reviewers should be able to ask, "Is there a trade secret in this sentence from your documentation?" Narrowing what is a possible trade secret would allow reviewers (or anyone) to produce public and private reports more easily where the private reports contained trade secrets.

Usually, we "know it when we see it" with trade secrets but in the realm of voting technology, we currently do not. That's going to need to change.

NB: Obviously, there is a third type of information that could be problematic if disclosed: actionable security exploits. That is, details about security vulnerabilities sufficient to allow compromise of a voting system in a manner such that elections are placed in danger of exploit.

...many of us don't want to read your blog posts on Obama and Clinton. Get bent.

The 2008 USENIX/ACCURATE Workshop on Electronic Voting Technology is open for registration with the full technical program posted here:

http://www.usenix.org/events/evt08/tech/

It's been quite popular to the extent that the organizers and PC chairs this year, David Dill and Tadayoshi Kohno, worked to expand it to two days! I'll be moderating a panel and presenting the last chapter of my thesis, so be sure to come early if you plan on attending USENIX Security or if you're a die-hard elections geek!