Election tampering possibilities? IT professionals, please check in

A friend forwarded me the following article:

http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm

More background in a link to the first article at:

http://www.scoop.co.nz/mason/stories/HL0307/S00064.htm

This particular friend is very, very smart, and an IT professional, but he also definitely has his kooky far-left conspiracy theory moments (I know, it’s probably a pointless request around here, but no comments from the peanut gallery, please). I’m not sure whether this is really a GQ, but it has obvious GD implications, so I’m posting it here.

  1. IT professionals, especially: how easily could a system like this be manipulated, especially in an untraceable manner? What could be done to improve the system, or is it unsalvageable?
  2. What have other jurisdictions with electronic voting systems done to prevent fraud, and how are these checks and balances different from this proposed GEMS system?
  3. Have any systems like the ones in the linked article been implemented in the U.S.? Are there plans to implement similar systems elsewhere?
  4. Are there any redeeming technical features of the system described in the article, or would we be better off sticking to punch cards, no matter how imperfect?

First, the point about having multiple ledgers being bad is totally bogus: in a digital sense, it’s absolutely unavoidable, and there’s many more than three involved, since data is not transmitted from the precincts–it’s copied across the wire. There is no digital analogue to having a single vote that is itself counted.

Actually, I’m pretty unimpressed with the article, though it does make some obvious points: if the data is held digitally, it can probably be altered by the right person at the right time, or by someone who breaks in. This is no different than having paper ballots–the ballot box can be stuffed, a box of votes from a precinct heavily leaning towards candidate A can disappear, thus removing more votes from candidate A than from candidate B; the scrutineers can do a shady job of it.

The fact that it’s Microsoft Access, a toy database, at the heart of the system, means it’s easier to tamper than with other solutions. But no solution will be foolproof.

I can think of several things to secure the system:[list=1]
[li]Have the network physically isolated, meaning no connections to anything but the phone network by which reports are transmitted. Better, have the actual computers used at the polling stations moved physically to a central counting depot where they can be networked to a tabulating machine, and thus never exposed to public networks. This prevents electronic intrusion.[/li][li]Have the tabulating and reporting machines physically isolated with good security, so that the only people with access to the computers themselves are authorized in meatspace, not just digitally by password. Again, this keeps the hackers out.[/li][li]Have a biometric access system to the computers used, so that administrative privileges are granted only to those who pass a retina scan or similar. This prevents tampering by insiders going into parts of the system to which they’re not allowed.[/li][li]Have good security discipline: no loaning your smartcard to someone else, no leaving an unattended workstation logged in, etc. This prevents accidental access.[/li][li]Make the database of election results freely downloadable off the Internet, allowing anyone in the world to compare the results to the census and polling. This prevents hidden, digital ballot box stuffing, since anyone can detect that there were 10% more votes cast than people registered to vote in the region.[/li][li]Have the polling machines create a physical token indicating the vote, inspected by the voter, and dropped into a sealed box. This provides a backup to the system. Each token is serialized; the serial number is stored with the vote. In the worst case, a physical recount can take place without worrying about over or under votes.[/li][li]Make the software freely downloadable at all times, so anyone can inspect the code. This prevents malicious code from casting every hundredth or thousandth vote for candidate A to a vote for candidate B. The process of compiling and installing the software can be done under the supervision of scrutineers from each party.[/li][li]Use a real OS with a real RDBMS system on it. Windows 2000, Linux, or Solaris is fine, with appropriate security enhancements. Nothing less than MS SQL Server, DB2, or Oracle for the database, and even then you don’t trust the software security.[/li][/list=1]The redeeming features of a digital system are instant vote counting and a more easily munged vote record. I particularly like the idea of being able to download the vote database and allowing the public to scrutinize the data themselves, something that’s impossible with paper ballots.