Bev Harris of Black Box Voting, www.BlackBoxVoting.org
wrote Consumer Reports on Diebold GEMS Central Tabulator Software
in August, 2004
This is a report of her information
by Teresa Hommel, www.WheresThePaper.org
--Much of this information was originally published in July 8, 2003, and has been corroborated by formal studies (RABA, see page 21) and by Diebold internal memos written by its programmers.
--Activists Find More E-Vote Flaws, By Kim Zetter, 9/22/04, important discussion of the risks, and procedures that can mitigate them.
--Diebold's 2-page rebuttal concedes that Bev Harris’ description of GEMS is correct, but says that “Any attempt to hack, edit or otherwise tamper with the election results will introduce obvious, well-defined inconsistencies into the system that will be detected by election administrators because the results are ultimately verifiable and auditable via standard operating procedures.”
--Diebold’s 7-page rebuttal concedes, “…it’s possible to modify the database in this way, but … the real issue is whether it’s possible to do so undetectably….”
--No tampering can be detected unless election administrators are aware of the security flaws described below, and perform the verifying procedures listed below under section 16. Make sure your county and state election administrators are notified, and that multipartisan observers help by being present and watching.
1. What is Diebold GEMS Central Tabulator Software?
Diebold GEMS central tabulator software is used to count votes reported by individual precincts and to publish the tallies. The software is used in as many as 30 states, in 1,000 locations. Each system counts up to two million votes at a time.1
Many GEMS versions have the flaws described below, including but not limited to
2. How GEMS is Used
Whether you vote absentee, on touch-screens, or on paper ballots with optical scan machines, the vote tallies from each precinct are ultimately brought to the GEMS central tabulator at the county level. Each precinct sends in one number for each candidate, representing how many votes the candidate received from the voters in that precinct. GEMS totals these precinct vote tallies and creates a report of the vote tallies for the whole county.
3. Two Copies of the Vote Database
GEMS stores all the precinct vote tallies in a "vote database" that is compatible with databases used by Microsoft Access. A database is a file of information that can be used to calculate totals and can be formatted for printing.
Proper accounting procedures, whether manual or on a computer, typically allow only one copy of each set of data (database) to be kept --not multiple versions. This ensures that when you look something up, you always get the right copy of the information because there is only one copy. In accounting, dual sets of books are prohibited because dual sets of books can enable errors and fraud to go undetected, especially if people do not know that there are two sets.
However, GEMS makes three copies of the vote database. Black Box Voting does not know the use of the third copy.
Election officials often do not know that there are multiple copies of the vote database, because this is not mentioned in GEMS documentation, and officials see only the reports that GEMS produces:
"Statement of Votes Cast" (total votes per candidate from each precinct)
"Election Summary" (total votes per candidate for all precincts in the county)
4. Separate Uses for Two Copies of the Vote Database
GEMS uses the first copy of the vote database to print the Statement of Votes Cast, which is used to spot check that the correct numbers were reported by the precincts and entered into GEMS.
GEMS uses the second copy of the vote database to add up the totals for the county and print the Election Summary.
In software design, the use of two databases to contain the same numbers is considered error-prone because of the possibility that the two databases will end up containing different numbers. In fact, this can easily occur with GEMS.
5. How to Change One of the Vote Databases But Not the Other
GEMS' second vote database can be viewed and changed by a procedure that takes less than a minute:
a) Each line in the vote database contains the name of one candidate and a separate number for each precinct in the leftmost columns. (A line in a database is sometimes called a "row".)
b) When GEMS begins, the two copies of the vote database are "linked" to each other so that as the precinct numbers are entered, each copy receives the same exact numbers.
c) The vote databases have a column called "Dirty" that few people notice because it is not mentioned in the documentation and you have to scroll all the way over to the rightmost column of the database to view it. If you gain access to the database and change the code in this column from 0 to -1 for one row, you have unlinked (or decoupled) that row in the two copies of the vote database. After that, you can alter that row in the second copy, but your changes will not automatically be made in the corresponding row in the first copy.
This is a simple, elegant design which allows the two copies of the vote database to contain different numbers.
Unless you know about the multiple copies of the vote database and inspect them, you will not see the changed numbers. The numbers in the first copy will pass a spot check -- even with paper ballots -- but the county totals printed in the Election Summary ARE ALWAYS derived from the numbers in the second copy, which could be different.
The use of these two copies of the vote database appeared in GEMS on October 13, 2000, in GEMS version 1.17.7.
6. GEMS is Not Secured by Passwords
GEMS is supposed to be secured by passwords and audit logs. However, GEMS passwords can be bypassed, and the audit logs can be altered and erased. Because of this combination of features, the votes can be changed without anyone finding out, including the officials who run the election.
Black Box Voting's warning about GEMS' vulnerability to undetectable fraud was also voiced by the RABA Trusted Agent Report of Jan. 20, 2004, commissioned by the Department of Legislative Services of the State of Maryland, http://www.raba.com/press/TA_Report_AccuVote.pdf On page 21, after discussing several ways that the GEMS Server can be accessed, the RABA report states:
"Given either physical or remote access ... it is possible to modify the GEMS database. Because both the database password and audit logs are stored within the database itself, it is possible to modify the contents without detection. Furthermore, system auditing is not configured to detect access to the database."
7. How to View and Change the Vote Database
(1) Use of Microsoft Access. GEMS' vote database is compatible with Microsoft Access. This compatibility means that you can use Access to view the vote database on the computer screen and modify it.
An Access database that is not passworded can be opened by double-clicking on the vote file. This has been observed in GEMS 1.18.19.
To prevent people from using Access to change the vote database, some locations have deleted Access from their GEMS computer. This approach leaves the two copies of the vote database intact, but requires a different method to view and modify the second copy.
(2) Use of Visual Basic Script. Visual Basic Script is a simple programming language that can modify an Access database. You can use a text editor like Notepad to type a six-line program in Visual Basic Script, and your program can change the vote database.
8. If Internet or Modem Connections are used, GEMS Cannot Be Secured by Limiting Who Can Enter the Computer Room
Some locations have tried to protect the vote database by limiting who can physically enter the GEMS tabulator room, and requiring a password to turn on the GEMS computer. However, these two security measures do not solve the problem if the internet or modems are used.
(3) Internet. The GEMS computer is called "stand alone" if it is not connected to the internet, and most counties say they do not connect GEMS to the internet. However, GEMS has an internet component, called "jresults" which can be used to connect GEMS to the internet, and a few counties may still do so. If they do, hackers can enter GEMS via the internet.
(4) Dial-in Phone Lines and Modems. GEMS typically receives incoming vote tallies from the precincts over dial-in telephone lines through modems. Mohave County, Arizona, for example, has six modems attached to its GEMS computer on election night. King County, Washington, has had up to four dozen modems attached at once.
If phone lines and modems are connected to the GEMS computer, this allows anyone to use a PC and simple computer dialing techniques to dial into the GEMS computer. Once connected, they can manipulate the vote database at their leisure. (For several decades prior to development of the internet, people and computers interacted over phone lines with modems. The famous hacker Kevin Mitnick preferred this to the internet.)
The dial-in protocols for GEMS are widely known:
a) They are given to hundreds of poll workers.
b) Many people in Diebold, including many temp technicians, have the dial-in protocol.
c) The configurations have been available on the internet for several years.
Because hackers can dial into the modems, it is more secure to disconnect all modems from GEMS.
(5) Physical Access. The disk from the GEMS computer can be physically put into another computer to obtain precinct vote tallies via the internet or modems. This way, the GEMS computer is never connected to the internet or a modem.
However, even if the GEMS computer is isolated from the internet and dial-in phone lines and modems, the vote database is still not secure because so many people have access to it in the computer room.
9. GEMS is Not Secured by Limiting Who Can Enter the Computer Room
Harris and Stephenson of Black Box Voting asked county election officials for their lists of who was allowed to access GEMS after it was already turned on, and who was given a password and permission to sit at the terminal.
Several officials said they don't keep a list. Those who did had long lists:
a) County employees (sometimes limited to one or two);
b) Techs who work for the county, like county database tecnicians, who also get access to GEMS;
c) Printshops who prepare the ballots;
d) Diebold employees and contractors.
Diebold "contractors" are temporary workers hired by subcontractors to work for Diebold. Diebold accounts payable reports obtained by Black Box Voting indicate that Diebold advertises for temps on Monster.com, hotjobs.com, and uses several temporary employment firms including Coast to Coast Temporary, Ran Temps Inc., and also works with many subcontractors, like Wright Technologies, Total Technical Services, and PDS Technical Services.
With so many people accessing GEMS, GEMS cannot be considered secure.
(6) Usually GEMS requires you to enter a password to get in. However, apparently, once the system is running and one person has entered a password, another person cannot log in as a different user unless you close GEMS and reopen it.
On election night, once the computer is up and GEMS is running, the votes start to pour in. No one will shut down the computer in order to log in as a different user. Everyone interacts with the computer when they need to, regardless of who originally logged in and entered a password.
(7) The GEMS Audit Log is supposed to record every interaction that occurs, and identify who did it, but Black Box Voting found that in the Audit Log everyone is called "admin." That is because everyone logs in with that same ID, which prevents the Audit Log from identifying who did what.
(8) Could counties limit access to just one person, for example the county elections supervisor? Black Box Voting did not find any counties that did this. The reason: Election officials are dependent on Diebold's technicians during the election. However, even if only one person had access to the GEMS system, "trust, but verify" is still the rule -- we should not trust the sanctity of a million votes to just one person.
(9) How many people have access to GEMS? A sociable GEMS user can give all his friends access to the vote database. In one experiment, Black Box Voting added 50 people, and gave them all the same password, which was "password." So far, Black Box Voting has not found a limit to how many people can be granted access to the vote database.
How important is this? Once someone has access to GEMS, they can:
a) change vote totals
b) change "flags" which are programmed settings that cause the program to function differently. (According to internal Diebold memos, there are 32 combinations of GEMS flags. Even the programmers have trouble keeping track of all the changes these flags can produce.)
c) alter the Audit Log
d) change passwords, access privileges, and add new users.
11. Election Meltdown
(10) Black Box Voting found that you can "meltdown" an election by using the menu items in GEMS.
a) with two mouseclicks, you can destroy all vote data
b) with four mouseclicks, you can destroy the configuration of the election, making it difficult to reload the original data.
(11) Can GEMS meltdown by itself? According to testimony given before the Cuyahoga Elections Board, the Access database design used by GEMS apparently becomes unstable with high volume input. This problem, according to Diebold, resulted in thousands of votes being allocated to the wrong candidate in San Diego County in March, 2004.
12. The Audit Log
Britian J. Williams, Ph.D., is the official voting machine certifier for the state of Georgia, and he sits on the committee that decides how voting machines will be tested and evaluated. In a letter dated April 23, 2003, he said:
"Computer System Security Features: The computer portion of the election system contains features that facilitate overall security of the election system. Primary among these features is a comprehensive set of audit data. For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction. This record is written to the audit log. If an incident occurs on the system, this audit log allows an investigator to reconstruct the sequence of events that occurred surrounding the incident."
Since Dr. Williams listed the audit data as the primary security feature, Black Box Voting decided to find out how hard it was to alter the audit log.
(12) The Audit Log is another database compatible with Microsoft Access, so it is easy to alter.
In frequent demonstrations Black Box Voting adds a user named "Evildoer." Evildoer then performs various functions, including running reports to check his vote-rigging work, but only some of his activities show up in the Audit Log. After Evildoer melts down the election by pressing "reset election" and declining to back up the files, he shows up in the Audit Log.
All the references to Evildoer in the Audit Log can then be removed by highlighting them with the mouse and pressing the delete key.
(13) Microsoft Access encourages those who create audit logs to use auto-numbering, so that every logged entry has an uneditable log number. Then, if anyone deletes audit entries, a gap in the numbering sequence will appear.
However, Black Box Voting found that the auto-numbering feature was disabled by GEMS, allowing anyone to write in their own log numbers. Black Box Voting was able to add and delete entries from the audit without leaving a trace.
13. Could it be legitimate to keep two copies of the vote database?
From a programming standpoint, could there be legitimate reasons to have a second vote database that unlinks (disengages) from the first one? For example, what if election officials need to alter the vote numbers to add provisional ballots or absentee ballots?
The two copies of the vote database, the ability to easily unlink them, and the fact that the two reports are not created from the same data, appear to be illegitimate for two reasons:
If maintaining two copies of the vote database and unlinking them was legitimate, it would be done via a menu item in GEMS, and not executed from a hidden location by a secret code.
Nothing in GEMS documentation describes the use of these features. If the second copy of the vote database was legitimate, the county officials, whose jurisdiction paid for and own the voting system, should be informed of such functions. Yet Diebold has not explained to county officials why it is there at all, and in most cases, never even told them these functions exist.
14. CPAs need to be involved in vote tabulation regulations, procedures, and design.
In accounting, it is improper to deal with changes by overwriting previous entries. Changes to previous entries should be made by new corrective entries that indicate the changes through clearly marked line items that preserve each transaction, and retain a permanent record of what happened.
According to elections officials interviewed by Harris and Stephenson of Black Box Voting, GEMS cannot perform an adjustment, and you can't journal the explanation for the change. Yet this is a common need: suppose a poll worker accidentally runs ballots through twice. You need to be able to correct this with an entry that shows all your work and what happened. Because of this limitation in GEMS, a common GEMS procedure is to wipe out the mistake and overwrite it with new data.
Also, it is improper to print a report of precinct vote tallies from the first copy of the vote database, and after everyone has checked those numbers, to print the summary report from numbers in the second copy. This is improper even if there was no provision to allow these two copies to be contain different numbers.
15. ACTIONS TO TAKE
Risks can be reduced if county officials maintain control over access to the central tabulator. However, nothing has been done to inform election officials who are using GEMS, nor have appropriate security safeguards been implemented.
Every citizen can take action:
--Inform election officials of the vulnerabilities. Bring them a copy of this summary and Kim Zetter's article, Activists Find More E-Vote Flaws. Let there be no one who can say, "I didn't know."
--Work to ensure proper corrective security procedures. Let there be no jurisdiction using GEMS that fails to implement all the proper corrective procedures.
www.wheresthepaper.org has links to suggestions from several organizations. For example:
--Polling place tallies should be posted publicly and each candidate's poll watcher should get a copy before all vote and vote tally materials are sent to the central tabulating location.
--Arrange for multipartisan observers to accompany the materials as they are transported.
--Arrange for multipartisan technical observers to be at the central tabulating location(s).
--Arrange for continuous video taping at the central tabulating locations, like many banks have when their employees perform sensitive operations such as opening the backs of their ATMs.
--Before anyone approaches the central tabulating computer, they should state what their purpose is and how they intend to interact with the computer, and then request multipartisan technical observers to watch them and verify that they are doing only what they said they would do.
a) Disconnect all modems and wireless communication devices. Stop using the digiboard modem bank attached to GEMS.
b) Establish a procedure so that all corrective entries to the vote database must be journaled, documented, and made publicly available, whether or not "they would change the outcome of the election."
c) Control access to the central tabulator through key logs and access cards.
d) Maintain a list of everyone who enters the central tabulator room, with log in and out times and dates.
e) Any Diebold techs or county IT people who are allowed access the central tabulator room should be formally deputized or certified and sworn as election officials. Their names and credentials should be available to the public. The names of all individuals allowed access to central tabulators should be posted publicly during elections, and all individuals who have access to the central tabulator should be available to citizens through public records requests.
f) Physical control, in addition to keys to the room, should include blocking off access through ceiling panels and limiting physical access through all other means.
g) Verify all numbers printed on both GEMS reports, making sure that all precinct numbers are correct and that all totals have been summed from those numbers.
"Statement of Votes Cast" (total votes per candidate from each precinct)
"Election Summary" (total votes per candidate for all precincts in the county)
17. SHORT TERM CORRECTIVE ACTION FOR TOUCH SCREEN COUNTIES
Counties at greatest risk are those that use both Diebold touch screens and the GEMS central tabulator. This is because the touch screens keep no physical record of the vote and cannot be independently audited, and the GEMS central tabulator can be hacked in seconds to alter the vote tallies or erase all vote data.
a) Use paper ballots for all voters. All counties with touch screens also have paper absentee ballots and central count optical scanner machines for counting absentee votes. In November, print more paper ballots, let all voters use them, and count them via the optical scanner.
b) Publicly announce and post all polling place tallies in each polling place BEFORE returning the materials and tallies to the central count location. All counties should require this, regardless of the voting technology in use.
c) Poll workers should print two copies of the polling place tapes containing all results.
One copy should be posted at the polling place, so that an audit set of the numbers are available to the public immediately.
The other copy should be attached to the vote data, sealed, and transported to the county in front of at least two witnesses.
d) Make a complete audit of all polling place tapes against the data in GEMS. Then manually sum up the data on all polling place tapes, in order to compare manual totals to that produced by the central tabulator.
e) Do NOT co-mingle data. Absentee, provisional, challenge, and early votes must not be mixed together with polling place votes, but must be accounted for as a separate line items.
f) Establish consequences for failure to follow risk reduction procedures.
18. LONG TERM CORRECTIVE ACTION
a) Taxpayers should demand that their local and state government replace Diebold and other electronic voting systems, because all studies have shown that they are insecure. Even if these systems were perfect today, they could be hacked tomorrow.
The history of elections tells us that whenever part of the election process is hidden from public oversight, errors and fraud will take place. Electronic voting conceals the recording and tallying of ballots, and invites fraud. If electronic voting systems produce a voter-verified paper ballots, and a complete audit is done using them, this would restore public oversight. Regretably, not one Board of Elections has the staff, expertise, or resources to perform a complete computer audit using voter-verified paper ballots. It is far simpler, less expensive, and quicker to use paper ballots marked by hand and counted by optical scanner or by hand. Studies have shown that the most accurate elections are those that use paper ballots marked by hand. Voters with disabilities can mark paper ballots by use of a ballot-marking machine, such as those made by Populex or Automark.
b) Taxpayers and governments can seek restitution of their money under consumer protection laws.
The following is a direct quote from Black Box Voting's Consumer Report #4
"Attorneys: Black Box Voting may join in your county, state, or federal Qui Tam actions, waiving our right to the whistleblower bounty, retaining your own for attorneys fees if possible, providing the evidence we have (and it fills a small warehouse by now), in order to get taxpayer restitution for the purchase of this system.
"What about the Qui Tam requirement to seal the evidence?
"We believe that in this case, the fraudulent claims cases should be filed anyway, with a refusal to seal the evidence, to recover money for the taxpayer.
"Yes, there are some who say that to prevail with a false claims act, the evidence must be sealed, and some have kept quiet about what they are gathering, saying "nothing can be done until after the election." We disagree. We, all of us, have an obligation to head off this train wreck.
"ALL evidence must be put into the hands of the public, so that we can have a fair election. Let us go forth with preventive actions instead of sabotaging the election in order to profit on the back end.
"Consumer fraud cases are needed to achieve taxpayer restitution. The evidence must not be sealed, because it is needed in order to put appropriate security procedures in place to protect the election.
"California is expected to announce on Sept. 6 whether they will help seek taxpayer restitution in the existing Qui Tam.
We predict that the California Attorney General will reject the effort to seek taxpayer restitution. Instead, they will try to rehabilitate Diebold. Two members of the California Voting Systems Panel have told Black Box Voting that they intend to deal with Diebold after the election.
"Diebold has just demonstrated its "voter verified paper ballot" to California. Yet, this system really doesn't matter, if you don't have security in place, don't audit, and can hack the central tabulator."
c) How much taxpayer money is involved?
You can't run the multimillion dollar Diebold voting system without GEMS.
State of Georgia: $52 million
State of Maryland: We hear it is up to $70 million by now.
State of Arizona: Approx. $50 million
State of California: In total, approx. $100 million
All in all, the Diebold system is used in about three dozen states, and the amount of money spent nationwide is between 1/2 and 3/4 Billion.
d) It's not too late.
--Voters want and deserve security procedures to protect the integrity of their vote this fall.
--Taxpayers want and deserve their money back.
--Public officials must be informed, and if they refuse to look, it must be documented so that they can be held accountable.
--Anyone who looks has a moral obligation to do something about this. Any public official who looks has a legal obligation to take the appropriate steps.
Beyond hardware, our Global Election Management System (GEMS®) software provides a powerful, easy-to-use graphical interface that supports all of your election systems; Touch-screen or optical scan. From ballot creation to tabulation and post election reporting, GEMS provides an integrated Windows® solution that works.
GEMS® is an advanced and technologically proficient election management system.
GEMS election management and tabulation computer software is the culmination of many years of software development invested toward the future of elections. The goal, with GEMS, is to allow an election administrator to easily and completely control every step of the election process, from ballot layout to election reporting. GEMS software operates on Microsoft's Windows® platform. GEMS' reporting capabilities allow the election administrator to quickly report results to the public, candidates and the media, and to easily customize these reports for specific needs.
GEMS® and Microsoft Windows®
GEMS is a state of the art election management software package that runs on Microsoft's Windows operating system. It capitalizes on the latest advances in software and hardware technology, reducing incompatibility and upgrade headaches. Furthermore, Microsoft's familiar user interface means you don't have to learn a new system. You can transfer your knowledge of Windows, learned with your home and office computers, to help you easily and intuitively operate GEMS.
The Windows interface also means you can use your familiar office programs in conjunction with GEMS. For example, you can type and spell-check propositions or measures, in word-processing programs such as Microsoft Word® or WordPerfect®, then paste the text directly into the GEMS ballot layout screen.
The flexibility of GEMS enables the powerful software to accommodate many election law modifications with minimal operator activity. This capability can save a jurisdiction thousands of dollars in software development charges over the life of the system.