shouting loudly

Hotel minibar keys open Diebold voting machines

If only that headline were from The Onion. Instead, it’s from Princeton Computer Science Professor Ed Felten.

Here, from his blog post, is Felten’s description of how he learned of this flaw:

On Wednesday we did a live demo for our Princeton Computer Science colleagues of the vote-stealing software described in our paper and video. Afterward, Chris Tengi, a technical staff member, asked to look at the key that came with the voting machine. He noticed an alphanumeric code printed on the key, and remarked that he had a key at home with the same code on it. The next day he brought in his key and sure enough it opened the voting machine. …

A little research revealed that the exact same key is used widely in office furniture, electronic equipment, jukeboxes, and hotel minibars. It’s a standard part, and like most standard parts it’s easily purchased on the Internet. We bought several keys from an office furniture key shop — they open the voting machine too. We ordered another key on eBay from a jukebox supply shop. The keys can be purchased from many online merchants.

Countless commentators will certainly insist that this is further evidence that Diebold is an integral part of the corrupt Republican machinery, intent on producing phony election results. I disagree; Diebold simply cheaped out and made a shoddy product.

Economically speaking, making and selling voting machines has something very important in common with producing news in fully ad-supported media: in both cases, the people buying the product are not the people who will use the product. The producer therefore has an obvious incentive to make a product as cheaply as possible.

In the case of Diebold, we get electronic voting machines that are the laughingstock of the computing security industry. The minibar keys story is just the latest example; their machines are so vulnerable to hacking, your firewall-enabled Windows XP box is a veritable Fort Knox in comparison. This is ironic, because Diebold makes ATMs that are much more secure; banks have the direct economic power to insist on good security. Voters, sadly, do not.

In the case of ad-supported media, we get an industry that relies so heavily on its sources that there are more public relations professionals than journalists. PR folks are happy to oblige, and they spoon-feed the press with copy that is ready to go to press–or video news releases that are ready to go to air. A good deal of your daily newspaper and evening news broadcast started as the product of a PR department, and in many cases, these stories are used without much editing or fact-checking. (For an impassioned call to systematically research this topic, see Oscar Gandy’s classic, Beyond Agenda Setting.)

When the end user isn’t paying, there is an obvious incentive to skimp on input costs. Why spend precious capital developing a custom lock and key set (especially one that’s not vulnerable to key bumping; see this, this (pdf), and this) so that voting machines actually are more secure? Why send journalists on time-consuming fact-checking missions so that the news is actually more accurate?

The people who care about those things aren’t paying the tab, so why not cut corners and pocket the difference? Unfortunately, there is no real political pressure behind fixing the voting machine crisis, and there is little public pressure for high-quality investigative journalism (which is not the same thing as “journalism that fits my ideological slant,” for which there is substantial pressure).

In both cases, what we have is profound market failure.

P.S. I don’t know why I missed the key bumping story until tonight, but I did. And now I’m both all creeped out and curious enough to want to try it…