EDITOR'S NOTE: There are places where you will read, "(Click "read more" for the rest of this section)." But there are no links that I can find. It's a mystery. –Daniel ben Avram]

Consumer Report Part 1: Look at this – the Diebold GEMS central tabulator contains a stunning security hole

Submitted by Bev Harris on Thu, 08/26/2004 - 11:43.

Issue: Manipulation technique found in the Diebold central tabulator -- 1,000 of these systems are in place, and they count up to two million votes at a time.

 By entering a 2-digit code in a hidden location, a second set of votes is created. This set of votes can be changed, so that it no longer matches the correct votes. The voting system will then read the totals from the bogus vote set. It takes only seconds to change the votes, and to date not a single location in the U.S. has implemented security measures to fully mitigate the risks

This program is not "stupidity" or sloppiness. It was designed and tested over a series of a dozen version adjustments.

 Public officials: If you are in a county that uses GEMS 1.18.18, GEMS 1.18.19, or GEMS 1.18.23, your secretary or state may not have told you about this. You're the one who'll be blamed if your election is tampered with. Find out for yourself if you have this problem: Black Box Voting will be happy to walk you through a diagnostic procedure over the phone. E-mail Bev Harris or Andy Stephenson to set up a time to do this. 

For the media: Harris and Stephenson will be in New York City on Aug. 30, 31, Sep.1, to demonstrate this built-in election tampering technique. 

Members of congress and Washington correspondents: Harris and Stephenson will be in Washington D.C. on Sept. 22 to demonstrate this problem for you. 

Whether you vote absentee, on touch-screens, or on paper ballot (fill in the bubble) optical scan machines, all votes are ultimately brought to the "mother ship," the central tabulator at the county which adds them all up and creates the results report.

 These systems are used in over 30 states and each counts up to two million votes at once.

(Click "read more" for the rest of this section)

 The central tabulator is far more vulnerable than the touch screen terminals. Think about it: If you were going to tamper with an election, would you rather tamper with 4,500 individual voting machines, or with just one machine, the central tabulator which receives votes from all the machines? Of course, the central tabulator is the most desirable target.

 Findings: The GEMS central tabulator program is incorrectly designed and highly vulnerable to fraud. Election results can be changed in a matter of seconds. Part of the program we examined appears to be designed with election tampering in mind. We have also learned that election officials maintain inadequate controls over access to the central tabulator. We need to beef up procedures to mitigate risks. 

Much of this information, originally published on July 8, 2003, has since been corroborated by formal studies (RABA) and by Diebold's own internal memos written by its programmers. 

Not a single location has yet implemented the security measures needed to mitigate the risk. Yet, it is not too late. We need to tackle this one, folks, roll up our sleeves, and implement corrective measures.

In Nov. 2003, Black Box Voting founder Bev Harris, and director Jim March, filed a Qui Tam lawsuit in California citing fraudulent claims by Diebold, seeking restitution for the taxpayer. Diebold claimed its voting system was secure. It is, in fact, highly vulnerable to and appears to be designed for fraud. 

The California Attorney General was made aware of this problem nearly a year ago. Harris and Black Box Voting Associate Director Andy Stephenson visited the Washington Attorney General's office in Feb. 2004 to inform them of the problem. Yet, nothing has been done to inform election officials who are using the system, nor have appropriate security safeguards been implemented. In fact, Gov. Arnold Swarzenegger recently froze the funds, allocated by Secretary of State Kevin Shelley, which would have paid for increased scrutiny of the voting system in California.

On April 21, 2004, Harris appeared before the California Voting Systems Panel, and presented the smoking gun document showing that Diebold had not corrected the GEMS flaws, even though it had updated and upgraded the GEMS program.

On Aug. 8, 2004, Harris demonstrated to Howard Dean how easy it is to change votes in GEMS, on CNBC TV.

On Aug. 11, 2004, Jim March formally requested that the Calfornia Voting Systems Panel watch the demonstration of the double set of books in GEMS. They were already convened, and the time for Harris was already allotted. Though the demonstration takes only 3 minutes, the panel refused to allow it and would not look. They did, however, meet privately with Diebold afterwards, without informing the public or issuing any report of what transpired.

On Aug. 18, 2004, Harris and Stephenson, together with computer security expert Dr. Hugh Thompson, and former King County Elections Supervisor Julie Anne Kempf, met with members of the California Voting Systems Panel and the California Secretary of State's office to demonstrate the double set of books. The officials declined to allow a camera crew from 60 Minutes to film or attend. 

The Secretary of State's office halted the meeting, called in the general counsel for their office, and a defense attorney from the California Attorney General's office. They refused to allow Black Box Voting to videotape its own demonstration. They prohibited any audiotape and specified that no notes of the meeting could be requested in public records requests. 

The undersecretary of state, Mark Kyle, left the meeting early, and one voting panel member, John Mott Smith, appeared to sleep through the presentation. 

On Aug. 23, 2004, CBC TV came to California and filmed the demonstration.

On Aug 30 and 31, Harris and Stephenson will be in New York City to demonstrate the double set of books for any public official and any TV crews who wish to see it. 

On Sept. 1, another event is planned in New York City, and on Sept. 21, Harris and Stephenson intend to demonstrate the problem for members and congress and the press in Washington D.C.

Diebold has known of the problem, or should have known, because it did a cease and desist on the web site when Harris originally reported the problem in 2003. On Aug. 11, 2004, Harris also offered to show the problem to Marvin Singleton, Diebold's damage control expert, and to other Diebold execs. They refused to look.

Why don't people want to look? Suppose you are formally informed that the gas tank tends to explode on the car you are telling people to use. If you KNOW about it, but do nothing, you are liable. 


1) Let there be no one who can say "I didn't know."

 2) Let there be no election jurisdiction using GEMS that fails to implement all of the proper corrective procedures, this fall, to mitigate risk.

Part 2: Problems with GEMS Central Tabulator

This problem appears to demonstrate intent to manipulate elections, and was installed in the program under the watch of a programmer who is a convicted embezzler.

 According to election industry officials, the central tabulator is secure, because it is protected by passwords and audit logs. But it turns out that the GEMS passwords can easily be bypassed, and the audit logs can be altered and erased. Worse, the votes can be changed without anyone knowing, including the officials who run the election.

 Multiple sets of books

 (Click "read more" for the rest of this section)

 The GEMS program runs on a Microsoft Access database. It typically recieves incoming votes by modem, though some counties follow better security by disconnecting modems and bringing votes in physically. 

GEMS stores the votes in a vote ledger, built in Microsoft Access. Any properly designed accounting program will allow only one set of books. You can't enter your expense report in three different places. All data must be drawn from the same place, and multiple versions are never acceptable. But in the files we examined, we found that the GEMS system contained three sets of "books." 

The elections official never sees the different sets of books. All she sees is the reports she can run: Election summary (totals, county wide) or a "Statement of Votes Cast" (totals for each precinct). She has no way of knowing that her GEMS system uses a different set of data for the detail report (used to spot check) than it does for the election totals. The Access database, which contains the hidden set of votes, can't be seen unless you know how to get in the back door -- which takes only seconds.

 Ask an accountant: It is never appropriate to have two sets of books inside accounting software. It is possible to do computer programming to create two sets of books, but dual sets of books are prohibited in accounting, for this simple reason: Two sets of books can easily allow fraud to go undetected. Especially if the two sets are hidden from the user.

 A hidden trigger The data tables in accounting software automatically link up to each other to prevent illicit back door entries. In GEMS, however, by typing a two-digit code into a hidden location, you can decouple the books, so that the voting system will draw information from a combination of the real votes and a set of fake votes, which you can alter any way you see fit.

 That's right, GEMS comes with a secret digital "on-off" switch to link and unlink its multiple vote tables. Someone who tests GEMS, not knowing this, will not see the mismatched sets of books. When you put a two-digit code into a secret location can you disengage the vote tables, so that tampered totals table don't have to match precinct by precinct results. This way, it will pass a spot check -- even with paper ballots -- but can still be rigged. 

How and when did the double set of books get into GEMS?

 Black Box Voting has traced the implementation of the double set of books to Oct. 13, 2000, shortly after embezzler Jeffrey Dean became the senior programmer. Dean was hired as Vice President of Research and Development in September 2000, and his access to the programs is well documented through internal memos from Diebold. The double set of books appeared in GEMS version 1.17.7. 

Almost immediately, according to the Diebold memos, another Diebold programmer, Dmitry Papushin, flagged a problem with bogus votes appearing in the vote tables. The double set of books remained, though, going through several tweaks and refinements. From the time Jeffrey Dean was hired in September, until shortly before the Nov. 2000 election, GEMS went through over a dozen changes, all retaining the new hidden vote tables. 

For four years, anyone who has known how to trigger the double set of books has been able to use, or sell, the information to anyone they want.

Black Box Voting Associate Director Andy Stephenson has obtained the court and police records of Jeffrey Dean. It is clear that he was under severe financial stress, because the King County prosecutor was chasing him for over $500,000 in restitution. 

During this time, while Jeffrey Dean was telling the prosecutor (who operated from the ninth floor of the King County Courthouse) that he was unemployed, he was in fact employed, with 24-hour access to the King County GEMS central tabulator -- and he was working on GEMS on the fifth floor of the King County Courthouse. (Dean may now be spending his nights on the tenth floor of the same building; after our investigations appeared in Vanity Fair and the Seattle Times, Dean was remanded to a work release program, and may be staying in the lockup on in the courthouse now.)

Jeffrey Dean, according to his own admissions, is subject to blackmail as well as financial pressure over his restitution obligation. Police records from his embezzlement arrest, which involved "sophisticated" manipulation of computer accounting records, report that Dean claimed he was embezzling in order to pay blackmail over a fight he was involved in, in which a person died.

So now we have someone who's admitted that he's been blackmailed over killing someone, who pleaded guilty to 23 counts of embezzlement, who is given the position of senior programmer over the GEMS central tabulator system that counts approximately 50 percent of the votes in the election, in 30 states, both paper ballot and touch screen. 

And just after he is hired, multiple sets of books appear in GEMS, which can be decoupled, so that they don't need to match, by typing in a secret 2-digit code in a specific location.

Dr. David Jefferson, technical advisor for California voting systems, told Black Box Voting that he could see no legitimate reason to have the double set of books in a voting program. He surmised that it might be incredible stupidity.

Dr. Jefferson should speak to Jeffrey Dean's partners and those who worked with him. "Stupid" is not how he is described. The descriptions we get, from Dean's former business partner, and from others who worked with him, are "sophisticated," "cunning," "very bright," "highly skilled," and "a con man."

This is the man who supervised the programming for GEMS when the multiple set of books was installed. Diebold, however, is the company that did nothing about it.

Internal memos show that Dean was sent the passwords to the GEMS 1.18.x files months after Diebold took over the elections company. Diebold clearly did not examine the GEMS program before selling it, or, if it did, chose not to correct the flaws. And after exposing this problem in 2003, Diebold still failed to correct it.

Elections were run on this tamper-inviting system for more than three years, and anyone who knew could sell the vote-tampering secrets to anyone they wanted to, at any time.

It has been a year since this report was first printed, and Diebold has never explained any legitimate reason for this design, which is rather elegant and certainly is not accidental. 

For our Fair Use of Copyrighted material Notice, please click on the ©.

Back Button