Computer Election Verification: Another IT boondoggle

William Poundstone's New York Times January 7, 2008 opinion piece on Rivest and Smith's computer election verification scheme sounds "gee-whiz plausible" - at first glance.  A closer look shows not only is the scheme utterly impractical, it's just another inappropriate computer technology solution in search of a problem - a problem, that's already been solved.

Here is the essence of Rivest and Smith's election verification proposal, as described by Poundstone:

"[Rivest and Smith's] basic idea is to allow each voter to take home a photocopy of a randomly selected ballot cast by someone else.

"The scheme is low-tech. Paper ballots would be tallied by optical scanners or even by hand. The results would be then posted on a Web site. Using a serial number assigned to each ballot, voters could check the site to make sure that their random ballots were posted and had not been altered or misread."

At first glance it sure sounds "gee-whiz" plausible, but to an e-commerce and security professional, well, a few questions immediately spring to mind.

Here's an obvious one: how do I know the data on the "web site" is correct?

If the paper ballots are altered after being cast and photocopied, and before being "officially" imaged for the web site, sure, the copy the voters retain would not match the online version - but it would not match the paper, either.  So that kind of fraud would be successful - and not detectable.

Those familiar with the horror stories of punch card and optical scan ballot handling, most notably in the 2004 Ohio recount - and afterwards - should not be quick to assume that ballot paper cannot be altered once it leaves the room.  (That's why secure election protocols count the paper before it leaves the polling place in front of multiple witnesses, and deprecates early and absentee balloting in the absence of serious chain-of-custody reform.)

If I want to spend the money, I could introduce a "man-in-the-middle attack", and deliberately corrupt or alter the ballot data, either in flight or after it is received. Generating a high volume of false positive recounts would add to the cost of elections and decrease public trust in the process, instead of the reverse.

I'll leave it as an exercise to the reader to figure out a way to flag the ballots that do get photocopied in such a way as only those are not altered. (By the way, the prize is control of a $12 trillion economy and the US Military, so put on those thinking caps).

Infrastructure boondoggle?

By the way - anyone thought about the storage requirements for keeping hi-fidelity ballot images online?  Back-of-the-envelope, for 130 million presidential year ballots, at say 20KB per ballot image (optimistic compression), that's 2.6 times 10 to the 12th bytes of image data, or 2.6 terabytes, or 2,600 gigabytes - maybe, as much as 10 terabytes.

Sure, you can stop down at your local computer store and buy that much storage for your PC or Mac for a couple of thousand dollars, and that utterly misses the point.

The largest online transactional databases today are on the order of tens of terabytes, and they are very expensive to maintain and index for high volume performance and scalability. 

How do you get all those bytes from the precinct into the central database in a timely manner, and securely serve them to what we in the e-commerce world call an "open queue" - essentially unlimited numbers of users - with the gigantic peak in processing volumes coming in the critical hours after an election - precisely when public perceptions of winners and losers are being set?

 1  |  2