As the 2004 presidential campaign has gotten underway in earnest in the last few weeks, two disturbing trends have coincided. First, new questions have emerged concerning data aggregator ChoicePoint, including revelations that the firm provided the Department of Homeland Security with information on foreign nationals obtained under questionable circumstances. ChoicePoint's DBT subsidiary gained notoriety during the 2000 election as the company that produced the error-laden "purge list" of Florida voters, ultimately found to be 97% incorrect. Second, as states have rushed to upgrade their vote-gathering systems, in response to the Voting Rights Act of 2002, serious questions have been raised about the security and integrity of electronic voting machines. These events have occurred in a political climate in which a federal agency was recently employed in a state partisan endeavor, when the Department of Homeland Security was called upon to help locate Democratic state legislators from Texas who had fled to Oklahoma in order to thwart a redistricting plan that would have altered the political makeup of the US House of Representatives.
In fiscal year 2002 the Immigration and Naturalization Service, now part of the Department of Homeland Security, entered into a $1 million contract for unlimited access to Choice Point's databases of information on foreign nationals. Recent reports by the Associated Press have suggested that the information may have been sold secretly -- and illegally -- by the employees of several Latin American governments. According to the AP, the ChoicePoint information appears to have originated in voter registration or national identity-card databases. ChoicePoint has acknowledged purchasing data from "subcontractors" in Mexico, Colombia, Venezuela, Costa Rica, Guatemala, Honduras, El Salvador and Nicaragua. In some cases, officials of US agencies with access to the ChoicePoint data, who were contacted by the AP, seemed not to know how the data were used. Other agencies, including the Bureau of Customs and Border Protection, would not respond to requests for information.
According to legal experts in the US and Mexico interviewed by the Guardian (UK), ChoicePoint could be liable for prosecution if its "subcontractors" broke local laws in obtaining personal information. Moreover, "Anybody who felt they were affected by this could take the US government to court," Mexican information law expert Julio Tellez said. "We could all do it ... We are not prepared to sell our intimacies for a fistful of dollars."
The largest agency contract with ChoicePoint is the Department of Justice's 4-year $67 million agreement, most of which is spent on looking up crime histories and credit reports of US citizens. The FBI's Investigative Services unit, which supports agents involved in criminal investigations, makes heavy use of ChoicePoint data. Agents have access to the web site cpfbi.com, on which both the FBI and ChoicePoint logos are displayed. FBI spokesman John Collingwood told the Wall Street Journal, "The FBI has located nearly 1,300 subjects of criminal cases using these kinds of searches," adding that using ChoicePoint "saves countless hours of manual records checks, a process the FBI has relied on for decades." While the FBI would not discuss how much it pays ChoicePoint currently, the contract for fiscal year 2000 was worth $8 million.
In 2001, FBI departmental guidelines prohibited collection of data on an individual unless the bureau believed the individual had committed a crime. "If the government can't go out and collect information on you absent predication, they shouldn't be able to go out" and purchase it from an outside service, observed Scott Charney former head prosecutor in the Justice Department's computer crime unit. San Antonio criminal defense attorney Gerald Goldstein went further, suggesting that "When the government actively encourages and solicits individuals to act on their behalf, those individuals," effectively become agents of the government. Historically, the government has not followed its own directives on security and confidentiality of private information. The General Accounting Office found in 1993 that FBI internal audits showed that use of the FBI's internal National Crime Information Center database did not adhere to privacy standards.
Privacy activists assert that outsourcing the chore of aggregating data on individuals violates the spirit if not the letter of the Privacy Act of 1974. The Privacy Act of 1974 prevents personal information held by any federal agency from being disclosed to any other federal agency, except for twelve particular circumstances or with written permission of the individual in question. Federal agencies may only store information relevant and necessary to their work, accuracy and completeness must be maintained, and steps must be taken to keep the information secure. The USA Patriot Act of 2001 loosened these strictures to allow interagency communication of personal information relating to national security. Nonetheless, outsourcing the creation of very general databases of personal information is "simply an end run around the Privacy Act" of 1974, according to Marc Rotenberg, of the Electronic Privacy Information Center (EPIC).
ChoicePoint obtains base information from credit bureaus, including Trans Union LLC, Experian Information Solutions, and its former parent company Equifax. Each credit bureau maintains information on approximately 180 million individuals. ChoicePoint combines name, known aliases, birthdate, Social Security number, current and prior addresses and phone number information from the credit bureaus, with criminal records, marriage records, bankruptcy filings, etc. The information is keyed by Social Security number, and massaged into customized databases based on client needs.
Problems with the data ChoicePoint supplies the FBI were revealed shortly after they signed a contract with the FBI in 2000. Privacy expert Richard M. Smith obtained a copy of his ChoicePoint file, and discovered more errors than correct information. ChoicePoint indicated that he had died in 1976, and that he shared aliases with two Texas convicts.
Barely a week later security experts revealed that ChoicePoint's LienGuard System, used by banks and other financial service businesses, was vulnerable to a number of widely publicized security flaws in Microsoft's Internet Information Server. By exploiting the security flaws a remote attacker could obtain administrative usernames and passwords to the system.
In January 2002 the company admitted to having left a corporate database unsecured and accessible from any web browser. An index of internal documents maintained in a Lotus Domino database was apparently left accessible by the public for several weeks until exposed by the French security association Kitetoa. A variety of proprietary corporate information could be obtained by navigating the database, for example, as reported by Wired News, inspection reports used in Medicaid fraud investigations. Chris Hoofnagle, legal counsel to EPIC noted that the series of security lapses at ChoicePoint illustrated the risks of having outside vendors gather and maintain sensitive private information for the government. "The risks to personal privacy include not only illegal or inappropriate employee access to the information, but also outsiders who wish to collect profiling information," he said.
Many Americans first became aware of ChoicePoint in the aftermath of the disputed 2000 election in Florida. After the 1997 Miami mayoral election, in which votes were recorded from felons, dead people, and nonresidents, Data Base Technologies (DBT), now a ChoicePoint subsidiary, received a $4 million contract to clean up the Florida voter rolls. A 1998 Florida law required the Elections Division to contract with a private agency to construct lists of ineligible voters, and then required county election supervisors to use the information to purge their rolls. Only two companies responded to the request for proposal: Computer Business Services of Americus, GA, and DBT. Computer Business Services declined to submit a proposal after reviewing the project requirements, leaving DBT as the sole applicant.
While still working on the Florida project, DBT joined a nation-wide effort sponsored by the Voter Integrity Project (VIP). Calling itself a "nonpartisan watchdog group," VIP's founder is the wife of Morton Blackwell, a Reagan administration operative who is executive director of the Council for National Policy whose membership includes Oliver North an Ralph Reed. In 1996 VIP sponsored an investigation of the US Senate contest in Louisiana, which Mary Landrieu won. A VIP investigator claimed he had evidence of widespread voter fraud and people being paid to vote, but Landrieu retained her seat. ChoicePoint bought DBT in 2000. ChoicePoint's board of directors includes Bernard Marcus, chairman of Home Depot, who contributed more than $200,000 to the Republican party between 1995 and 2000.
Even before ChoicePoint's partisan connections surfaced, county election supervisors in Florida had called the DBT information into question. In one instance, nearly 8,000 individuals listed as felons had only committed misdemeanors. Those errors were corrected, but many voters were prevented from voting in the 2000 election because they were erroneously listed as felons. 384 people were identified as felons because of criminal convictions with dates in the future. Other individuals, including the mayor of one North Florida town, were identified as felons because their name, age and race were the same as convicts. Some voters were able to have their voting rights restored by signing affidavits with their county elections supervisor, but many others could not take time off from work to make their case. A Palm Beach Post computer analyst determined that at least 1,100 people were wrongly purged from the voter rolls. Bush's margin of victory in Florida was 537 votes.
Minority advocates labeled the voter purge project a concerted effort to remove black voters from the rolls. A study by the Palm Beach Post found that, while 11 percent of Florida's voters are black, 44 percent of the individuals on the ChoicePoint purge list were black. The state's determination to remove all felons from the voter rolls exacerbated the problem. By including aliases, abbreviations, and other criteria in searching rolls for felons, many black voters were wrongly identified and forced to prove that they should be allowed to vote. US Rep. John Conyers, of Michigan, and others, noted that prohibiting felons from voting is in itself a discriminatory practice, because blacks are more often the target of wrongful arrest than other ethnic groups.
In January 2001 the NAACP sued ChoicePoint and the state of Florida for supplying data that led to thousands of voters being purged from the Florida voter rolls in error. ChoicePoint settled the lawsuit in 2002, agreeing to provide the Florida Division of Elections with the list of individuals whose names were purged in error, for reinstatement on the voter rolls. A ChoicePoint report dated August 19, 2002 indicated that only about 3,000 of the 94,000 names on the "purge list" actually matched all nine of the firm's criteria, including Social Security number, for avoiding misidentification. According to Salon.com, however, the list was still in use in many Florida counties during the 2002 Florida election -- in which Jeb Bush was re-elected governor -- apparently because the state had not directed counties to discontinue using it.
In May 2001 the Florida legislature passed an election-reform bill that effectively ended the state's contract with ChoicePoint, $3 million into the contract. As lawmakers looked into the circumstances surrounding the original agreement, state senator Tom Rossin of Palm Beach County, and a state-wide task force on election reform called for an investigation into the awarding of the ChoicePoint contract. A legislative analysis of the bill dated January 1998 states that the Division of Elections estimated that the project would cost between $4.3 million and $4.5 million. Sandra Mortham, Florida's Secretary of State at the time told the Palm Beach Post that the appropriation request did not come from her office. The director of the Division of Elections, Ethel Baxter, refused requests for an interview. (In Florida the Division of Elections is a part of the Department of State.) An investigation by the Florida association of county election supervisors was unable to determine who had initiated the idea of hiring a private company. "We cannot find any fingerprints on this bill," one county supervisor said.
Research by Dubya Report contributor B.E. Simons shows that DBT/ChoicePoint was fully aware that the accuracy of their information was dependent upon being able to match Social Security numbers -- something it could not do consistently in preparing the Florida list. A May 11, 2000 SEC filing warns
Social security numbers are the primary organizing principles that we use to
generate our reports.... If we cannot obtain social security numbers ... our ability to generate reports efficiently will be reduced. We can and do use names, addresses and dates of birth to generate our reports. However,
without the use of social security numbers, we believe that those reports would
not be as complete or accurate as reports generated with social security
numbers. We also would incur significant expense to revise the software we use
to generate reports. Less complete or less accurate reports could adversely
affect our business....
Moreover, Simons notes, the error-laden Florida voter-roll-purge list was out of character for DBT/ChoicePoint, which touted its data verification process as a value-added offering that distinguished it from its competitors in a competitive and rapidly changing market.
In Florida, information about felons is divided between the Florida Department of Law Enforcement, which maintains information on convictions, and the Office of Executive Clemency, which keeps information about people whose rights have been restored. The quality of record keeping varies; in some cases conviction records were decades old and lacked supporting documentation. Agencies responsible for checking ChoicePoint's data approached the problem with varying levels of attention to detail. Observers noted that the Florida agency responsible for birth and death data often confused two counties whose name begin with "M" -- Marion county, where Ocala is located, and Monroe county, which encompasses the Florida Keys.
The ChoicePoint/DBT episode illustrates the general problem of trying to merge information from multiple databases -- apparently a key component of what ChoicePoint markets to businesses and the government. Marc Rotenberg of the Electronic Privacy Information Center, whose Freedom of Information Act requests uncovered ChoicePoint's recent purchases of international data, suggests that mistakes are inevitable. "I know it's inconceivable to imagine a computer can make a mistake, but those errors have occurred," he said. "An alias is confused with the actual identity. Two people have the same name but different addresses." The problems with ChoicePoint's project in Florida illustrate on smaller scale the difficulties of maintaining data integrity on a national or international scope.
If It Worked In Florida...
Despite the problematic history of Florida's experience with computerized voter rolls, the improbably named "Martin Luther King, Jr. Equal Protection of Voting Rights Act of 2002," passed by the 107th Congress, imposed many of the requirements of the Florida voter roll purge project on the rest of the nation. The "chief State election official" in each state is required to maintain a single computerized list of all registered voters, and to coordinate the voter list with death and felony status records from other state agencies. Investigative reporter Greg Palast, who studied the Florida voter irregularities for Salon.com and assisted the US Civil Rights Commission's investigation, is skeptical that the law will actually help. "... [T]he Florida show is being taken on the road and is going to be imposed on all 50 states. Centralization, computerization, purging the voter rolls.... [I]t's going to fix the 2004 election if it's close," he told the Baltimore Chronicle.
A key focus of the Voting Rights Act of 2002 is "to provide funds to States to replace punch card voting systems." One effect of the act's passage has been to spur interest in and deployment of electronic voting machines. But electronic voting machine technology has come under at least as much criticism as the government's exploits with databases of private information.
During the 2002 election, the results in 14 races won by Republicans were inconsistent with pre-election polls by between 3 and 16 percentage points. The biggest upset may have occurred in Georgia, where results were 9 - 12 percentage points different from pre-election polls. Georgia, perhaps coincidentally, used more electronic voting machines than any other state. The machines used in Georgia were supplied by Diebold. According to the web site of the Georgia Republican state legislators, "Diebold was not the low bidder" to supply the 22,000 voting machines, but "had hired former Georgia Secretary of State Lewis Massey to lobby on its behalf and was the most politically connected group bidding for the contract." Some Georgia voters complained that the Diebold machines were recording votes for a candidate other than the one they had selected. If the voter noticed the error, it was corrected before the vote was officially tallied. A spokesman for the Georgia secretary of state reported that the malfunctioning machines were replaced as soon as the problem was identified, but it is unknown how many votes were miscounted.
In Miami-Dade and Broward counties in Florida, a different problem was encountered. After polls had closed, ES&S voting machines at precincts where hundreds of people had voted tallied almost no votes. Technicians were eventually able to extract the voting information from the machines.
Such follies do not surprise Rebecca Mercuri of Bryn Mawr College, a voting security expert. "If the only way you know that it's working incorrectly is when there's four votes instead of 1,200 votes, then how do you know that if it's 1,100 votes instead of 1,200 votes? You'll never know," Mercuri told the Washington Post. Similar concerns prompted Stanford University's David Dill to initiate a petition warning that electronic voting machines were in many cases less reliable and more prone to fraud than the equipment they were replacing. "I'm not concerned about elections that are a mess," Dill told the Post. "I'm concerned about elections that appear to go smoothly, and no one knows that it was all messed up inside the machine." "We're not paranoid," Mercuri added. "They're avoiding computational realities. That's the computer science part of it. We can't avoid it any more than physical scientists can avoid gravity."
The ES&S and Diebold machines use "proprietary" software, and hence cannot be reviewed by critics or independent experts. Malfunctioning machines in Florida and Georgia were receiving programming corrections right up until voting began. Mercuri noted that hastily applied software corrections often cannot undergo adequate testing. Moreover, equipment that is easily updated may note be secure from tampering. "Someone sufficiently unscrupulous, with an investment of $50,000, could put together a team of people who could very easily subvert all of the security mechanisms that we've heard about on these [voting] machines," Stanford's Dill observed.
In February 2003 software engineer Dan Spillane sued former employer VoteHere, charging that he had been fired in retaliation for threatening to expose flaws in VoteHere's software to the US General Accounting Office, and the independent authority responsible for certifying voting machines. Spillane, who was an equipment tester for VoteHere, alleges that he reported approximately 250 defects to management. One reported problem would have prevented information from being transmitted correctly from the computer's touch screen to the log file. Another affected the usability of the touch screen for people with physical challenges or "limited educational experience."
Speaking to Wired News about the Spillane case, Stanford's David Dill commented that the suit was of interest because it could shed light on the process of certifying voting equipment. "What we're hearing from a lot of different places is that you don't have to worry about these machines because they're certified at the federal level and the state level," he said. "But it's difficult to get direct information about what happens in the certification process."
On May 21, 2003 The Hill reported that Senator Chuck Hagel of Nebraska has a $1 million to $5 million stake in a holding company that is part owner of ES&S. All of the voting machines in use in Nebraska are manufactured by ES&S. Hagel served as chairman of ES&S from the early 90s until 1995, during which time the firm was named American Information Systems (AIS). Until 1996 Hagel was also president of McCarthy & Co., a financial advisory group that is part of the holding company McCarthy Group Inc. Michael R. McCarthy, chairman of the McCarthy Group, has served as treasurer for several Hagel fundraising entities, as recently as December 2002. In financial disclosure statements required of US Senators, Hagel listed his investments in the McCarthy Group, but claimed that he did not need to report interests in any McCarthy Group investments -- a position disputed by outgoing Senate Ethics Committee director, Victor Baird.
The two leading players in the electronic voting machine business, ES&S and Diebold, are owned and operated by major contributors to the Republican party.
ES&S and Diebold are connected historically, as well. In 1999 AIS and Business Records Corporation merged to become ES&S. AIS and its predecessor, DataMark, were founded by brothers Todd and Bob Urosevich. Bob is currently president of Diebold. AIS received initial funding from William and Robert Ahmanson of H.F. Ahmanson Co., a savings and loan holding company. Howard Ahmanson is a member of the Council for National Policy, the organization that was connected through Helen and Morton Blackwell to the Voter Integrity Project that utilized DBT/ChoicePoint while it was also purging voter rolls in Florida.
Dubya Report contributor B.E. Simons has noted that ChoicePoint CEO Derek Smith has had a business association with Edward J. Mathias, a founder and managing director of the Carlyle group, and a director of its Asia Ventures Partners -- the subsidiary that has employed George H.W. "Poppy" Bush. Smith, Mathias, and ChoicePoint board member Bernard Marcus are all on the advisory board of the Yale University Chief Executive Leadership Institute (CELI). All three participated in the CELI May 2000 conference, somewhat ominously titled "Knowing Enough to Be Dangerous." Smith and Mathias both participated in a session titled "Knowing Too Much about the Customer:
Responsible Uses of Information and When to Just Say No." In the 2001 CELI conference, titled "2001: What HAL Didn't Know," Mathias and Smith participated in a session titled, "Who Is Really Your Business Partner?
What More Does HAL Need to Know about Us?"
A New Definition of Homeland Security
Completing the picture is the specter of a federal agency being used for state partisan political purposes, as apparently happened during the recent action by Democratic legislators in Texas. The Texas Democrats had crossed over state lines to Oklahoma to prevent a quorum -- and hence a vote -- in the Texas House on a redistricting plan that could have added to the narrow Republican margin in the US House of Representatives. Texas Republicans contacted the Air and Marine Interdiction and Coordination Center, a California agency operated by the Department of Homeland Security, in order to track a small aircraft belonging to former House Speaker Pete Laney. The agency located the plane in Oklahoma, and the missing legislators were discovered at the Ardmore, OK, Holiday Inn. Texas House Speaker Tom Craddick then contacted US House Majority Leader Tom Delay to request that the FBI and US Marshals be deployed to apprehend the Texas legislators.
Eventually the Texas Department of Safety was assigned to the task, but because they have no authority in Oklahoma, officers were reduced to harassing legislators' staff and family members. An investigation into the Department of Homeland Security's involvement was launched at the request of Rep. Jim Turner, Democrat of Texas. In a letter to Homeland Security Secretary Tom Ridge, Turner wrote, "I am very concerned that federal resources intended to protect homeland security may have been used to track law-abiding individuals who posed no security threat.... If federal resources were indeed used for this purpose, it appears that federal laws or departmental policies may have been violated, and an investigation by the inspector general of the Department of Homeland Security should be initiated forthwith." Ironically, Clark Kent Ervin, who is awaiting confirmation as inspector general, removed himself from the investigation citing previous work for the state of Texas. Ervin has close ties to Texas Republicans, having served as inspector general of the Texas department of state, as well as deputy assistant attorney general, and assistant secretary of state.
Krane, "U.S. buys Latin Americans' personal data" Associated Press. 14 Apr. 2003
Burkeman, Oliver "Firm in Florida election fiasco earns millions from files on foreigners" Guardian (UK) 5 May 2003
King, Robert P. and Joel Engelhardt "Credibility of Voter Purging Questioned" Palm Beach Post 6 Dec. 2000
King, Robert P. "Hunt For Fraudulent Voters Triggered Confusion, Anger" Palm Beach Post 11 Dec. 2000
Kane, Gary and Scott Hiaasen "Reform Ends Costly Try To Purge Voter Rolls Of Felons" Palm Beach Post 28 May 2001
Eversley, Melanie and Gary Kane "Black Leaders Sense Sinister Motive In Purge" Palm Beach Post 27 May 2001
"Selected Federal Statutes Affecting Privacy Rights" Wiley Rein and Fielding. 2003
Simpson, Glenn R. "Big Brother-in-Law: If the FBI Hopes to Get The Goods on You, It May Ask ChoicePoint" Wall Street Journal 13 Apr. 2001
Harmon, Rod "An 'Unprecedented' examination of Florida's flawed 2000 election" Bradenton Herald 22 Sep. 2002
Palast, Greg "Jeb Bush's secret weapon" Salon.com. 1 Nov. 2002
Carlton, Brad "Q & A with Greg Palast" Baltimore Chronicle & Sentinel 9 Apr. 2003
Scheeres, Julia "What They (Don't) Know About You" Wired News 11 May 2001
McWilliams, Brian "Data Firm Exposes Records Online" Wired News 22 Jan. 2002
McWilliams, Brian "More Online Security Woes for FBI's Data Firm" Newsbytes 28 Jan 2002
Thompson, Alastair "American Coup: Mid-Term Election Polls vs Actuals" Scoop (NZ) 12 Nov. 20002
Partridge, Ernest "The Greatest Story Never Told" The Crisis Papers 31 Mar. 2003
Keating, Dan "New Voting Systems Assailed" Washington Post 28 Mar. 2003
"Daily Update" Georgia House Republican Caucus. 6 May 2002
Bolton, Alexander "Hagel’s ethics filings pose disclosure issue" The Hill21 May 2003
"Voting Machine Companies" EcoTalk.org
Ferdinand, Erin "Texas Republicans Call on Department of Homeland Security to Locate Truant Democrats" Utne.com May 2003.
"Probe Asked of Homeland" NewsMax Wires. 16 May 2003