17 February 2005

Regrettable Actions

I was asked by a friend recently about whether it was technically possible to fix an election result, given complete access to the server and database on which the voting system is hosted. I replied that while it was technically possible, no-one would bother. Well, I wouldn’t normally bother.

In every similar situation you have to put your trust in someone. If you’re part of Imperial College, chances are you are paid through the Finance System or your details are stored with Registry or you’ve rated your lectures on SOLE. All of these systems are part of Imperial College Infomation System (ICIS), which runs on an Oracle database hosted on servers by ICT.

We have a host of Database Administrators (DBAs) who have total access to that data and they can modify stuff. The servers are controlled by a different group and we too could modify the data. Why don’t we? If we did, how would you know? Have we already done it? Imagine awarding yourself a quiet 10% payrise!

The answer is the same, whether you are talking about the inner workings of a multi-million pound business (like Imperial College) or the results of a democratic election. Because it’s not worth getting caught.

I wouldn’t like to comment on the actual possibility of being caught, because it would of course depend on the skills of the hunter against the skills of the prey, however it could happen. But then many foxes are hunted, few are killed. I think in the case of databases of this kind of importance, there’s a fair certainty that the culprit would be caught.

Now in the specific case in question, anyone with admin access to the system could adjust the data. If they covered their tracks sufficiently they could probably get away with it. I certainly wouldn’t bother, because it’s not worth the risk.

NB: I don’t have access to the system in question any more, so if you want to know the likelihood of any future compromises of that elections system, you’ll probably have to ask someone who can audit it.

Return to Listing...