E-voting, or how the Bush Stole 2004.
2004-Nov-10, Wednesday 10:11See: Evidence Mounts That The Vote May Have Been Hacked
I'm hoping that what happened as described in that article is actually what happened (that the central tabulator computer numbers were flipped for optically scanned ballots) because it means that there is a paper trail to dig through to prove the reverse.
The thing about electronic voting is, it's not easy to create an auditable system. By auditable, I mean a system which can be forensically proven to have done the right thing after the fact. Paper based voting systems can have manual recounts performed. Electronic ones? This isn't easy.
I know. I have, in a previous job, built electronic data capture systems for medical data. Part of the requirement for such systems is an extremely high level of auditability. It is doable. You have to using cryptographically secure signing methods (a rolling hash is a good start, for those that know what I'm talking about) to ensure integrity of the electronic data, and then you need to link that electronic signature to an external record that it can be audited against.
That last step for a medical data capture system, well, it's not hard, you just keep the original paperwork. For an electronic voting system? You're going to need to issue some sort of ticket that every voter can verify. If you don't do that, then you don't have an auditable trail, that allows you to prove definitely that everyone actually voted the way that the computer says they voted.
What does that mean? That means that anyone with access to the database can just modify it, and there is no proof that the database was ever modified, and how. This access doesn't have to be done by a human... It can be much better done by a custom piece of software that knows what the database looks like. It's also very easy to make software self-deleting, especially in an environment like Win32, so once the custom fix has done its job, it can delete itself, leaving no trace of its existence or effect.
Anywhere where there is no auditable trail, the numbers could easily be auto-modified that way. And you don't need to modify by very much to have a significant effect in a tight election, so long as you can hit a reasonable number of places. If you switched every 50th Kerry vote to a Bush vote, that's a 2% swing to Bush, and not enough of a change to be validatable against voter pre-registrations. Noticeable against exit-polling, though.
I'm hoping all that was done was the switcheroo as described in the article (which again could have very easily be done by self-deleting software)... but there's a lot more that could easily have been done on other systems too. Even with the touch-screens, this could have been done, and so long as the modifications were reasonable, the effect is undetectable and unprovable, because there is no audit trail.
Here's hoping they were stupider than that. I don't think they were, though.
PS: For some more detailed argument about this stuff, see erudito's post on Qualities, in which you'll find a lot of comment chatter between us. Edit: And via
lederhosen: a Risks Digest entry about e-voting problems.