Jul 11

How to botch an American Election

The article How to Rig an American Election was recently forwarded to Doug Farber's interesting-people mailing list.

When you cut out the inane hype and conspiracy theories it becomes obvious that the claimed "backdoor" is just a misunderstanding or deliberate misrepresentation of an extremely common database technique: the program creates a summary table to avoid needing to recount a large number of records each time you look at the results. Toss in the usual concerns about passwords and a reminder that very few databases provide tamperproof logging and there's absolutely nothing to suggest this is anything more than garden variety incompetence.

Unfortunately there are a number of worrisome problems which are likely to be ignored because of the paranoid conspiracy babbling:

  • People are building anything even remotely important in Microsoft Access despite its long history of poor performance, unreliability and lack of many features provided by real databases. The free MSDE (Microsoft SQL Server Desktop Engine) would be a significant improvement, although I'd like to note that there is a really strong case for mandating open-source on such an important system so it can be reviewed by anyone.
  • The programmers traded accuracy for speed in an application where accuracy should be paramount. Worse yet, there's no technical justification for this decision. Any real database should have no problem summing an entire national election with 100% turnout in a few seconds, much less the relatively small number of votes each of these systems handles. Electronic voting is an excellent example of a system where preserving accuracy is far more important than saving a fraction of a second on a query.
  • The programmers were either unaware or unconcerned about the ease which with the built-in auditing system could be manipulated. The literature contains a number of systems which when combined with competent system design would make tampering much harder and eliminate the possibility of removing previous log events.
  • Diebold's website is a bit vague about whether there is a paper audit trail in case the system breaks down.

These problems suggest that there was no competent advice (I'm is tempted to say "adult supervision") for either the technical or security design. The thought of any product being implemented by such an inexperienced, non-security-aware product team is disturbing but I find it far more worrisome that none of this prevented people from buying these systems - if there's any justice the decision will be whether they're merely fired for gross incompetence or prosecuted. Unfortunately given the technical nature of the problems and the tendency for such people to be politically well connected I doubt any such critical examination will actually happen.