Predetermination of Electoral Outcomes Through

Exploitable Features of an Election Management System

April 18, 2005

INTRODUCTION

Since Nov. 2004, there has been extensive speculation about how election results might
have been altered via electronic voting systems. While suspicions concerning malicious
code embedded in undisclosed proprietary software and interception of data transmission
via wide-area networks have received some attention, little or none has been given to the
existing features of Ballot Text editing and Straight Party voting options implemented in
the Diebold Global Election Management System (GEMS) application itself. These
features could have been exploited fairly easily, separately or in combination, to favor
one candidate over another in the 2004 and/or prior elections, possibly affecting their
outcomes.

The author is therefore concerned about potential exploitation of the system by

administrative users with no direct knowledge of, or access to, the underlying “back end”
database, files, or source code. In other words, there are features of the application that
even a casual computer user has the capability to exploit in order to perpetrate election
fraud. Those with actual computer programming or “hacking” experience need not apply
for the job; anyone familiar with a computer keyboard and a mouse possesses the
necessary skills.

It should be common knowledge that GEMS software is used to tabulate vote totals,
which can be uploaded from precinct-level Touch Screen/Direct Recording Electronics
(DRE) and Optical Scan (Op Scan) voting systems after the election. What is not as
commonly known is that GEMS is also used to implement entire pre-election
configurations such as:

- Definition of jurisdictional information (e.g., local or congressional districts);

- Creation of both e-ballot and paper ballot content and artwork via Ballot
Definition Files (BDFs);
- Definition of races (e.g., candidate, straight party, proposition);
- Definition of voter groups (e.g., by party, absentee, non-absentee);
- Linkage of candidates to their respective parties and races;
- Configuration of precinct-level machines either on site or remotely via dial-up
(modem), LAN, or Internet connectivity.
Predetermination of Electoral Outcomes Through Exploitable Features of an Election Management System

After becoming aware of some electronic voting machine problems documented in the
Election Incident Reporting System (EIRS) which seemed to favor George W. Bush, I
undertook to determine which of these, if any, could be explained simply by improper
machine configuration, and which could only be the result of malicious tampering with
the code itself. While the former might have been detectable by some attentive voters, the
latter should have been concealed well enough to be undetectable to anyone but the
perpetrator of the fraud. Therefore in Feb. 2005, I obtained one copy of each of the
following for evaluation, which are readily available via the Internet:

a) GEMS software Version 1.17.23.0, NASED Certified;

b) GEMS User Guide Revision 3, Version 1.17.15; July 3, 2001;
c) A Diebold Election Systems Election Support Guide,
Revision 1.0, Oct. 21, 2002.

The purpose of this white paper is to review my findings to date, after a one-month
evaluation of the software, and to suggest some ways in which several exploitable
features of GEMS thus far identified could have been combined in order to guarantee a
predetermined outcome for a particular candidate on the ballot.

BLANK VOTES VS. UNDERVOTES

First, a word about nomenclature: Perhaps the major advantage of DREs touted by their
proponents in the literature and the marketplace, is a reduction in the percentage of
undervotes (unrecorded choices). However, it should be noted that in Diebold’s
documentation and election results reports, the term “undervote” only applies to those
races in which multiple candidates are elected to fill multiple offices, and then only if the
voter failed to select the maximum number of candidates allowed. The term “undervote”
in a Diebold report, should therefore not even apply to a race in which only one candidate
may be chosen. I.e., by Diebold’s own definition, a race for President or US Senate
should have no undervotes. Diebold refers to an unrecorded choice in such a race as a
“blank vote” -- not an “undervote.”

While this raises questions about the legitimacy of claims regarding reductions in
undervotes (since most unrecorded choices would actually be reported as “blank votes”
and not “undervotes”), in the present work the standard term “undervote” will be used
consistently to avoid any confusion.

Page |2
Predetermination of Electoral Outcomes Through Exploitable Features of an Election Management System

EXPLOITATION OF BALLOT DEFINITION FILES

One basic problem with this election management system is that Diebold’s Ballot
Definition application has no built-in safeguards to force the ballot text (i.e., what the
voters see on the touch screen or the paper ballot) to conform to what is actually
programmed into the database where the votes are counted. This is an astounding finding,
which thus far has been under-reported and uninvestigated.

One would think that any well-designed election management application would prohibit
a database record or label, such as a candidate’s name or party affiliation, from being
displayed or printed in a deceptive or erroneous manner on the ballot. Instead, the ballot
text fields in GEMS are fully and independently editable until the election is officially
started. Furthermore, no specific entries for changes to the Ballot Definition Files are
generated in the GEMS audit log, so that anyone with administrative rights to the system
could make such changes without being detected.

By exploiting this “feature” of the software it would have been only too easy, for
example, for all the votes for George W. Bush in a given jurisdiction to have been
switched to John F. Kerry, and vice versa just by reversing the order of the names the
voters saw on the ballot. As long as the likely outcome of an election were known in
advance (from demographics, pre-election polling, early voting results, etc.), this would
be a simple and elegant way to reverse it -- before the election began.

There would have been no telltale increase in undervotes, or more votes than registered
voters, since all the votes cast would still have gone to one candidate or the other.
Anyone capable of using a text editor could have set this up. Only administrative access
to the GEMS Ballot Definition Files would have been required prior to the election (or
prior to printing the paper ballots in the case of Op Scans). Changes such as this, made on
the server side, would of course be propagated to any or all DREs in the jurisdiction.

In the case of DREs, changes to the ballot text could also have been made after the
configuration had been downloaded from GEMS. By using a supervisor card and the
DRE menu options, or by removing the flash memory PCMCIA card from the DRE,
ballot text could have been altered at the precinct, as discussed in the RABA report
produced for the state of MD. However, access to the GEMS server would make either of
these methods unnecessary as the application itself already allows full ballot text editing
with no recursive linkage to the corresponding database labels residing on the same
server.

But how could one have altered election results that were not known in advance? If the
race were too close to call, or it would have been undesirable to completely reverse the
results, methods other than ballot text editing would have been required. This is where
exploitation of the Straight Party voting option comes in.
Page |3
Predetermination of Electoral Outcomes Through Exploitable Features of an Election Management System

EXPLOITATION OF STRAIGHT PARTY VOTING OPTIONS

For those unfamiliar with Straight Party voting, simply put, this allows one race to
control other races on the ballot. Typically, two options called “Democratic” and
“Republican” are set up (and there may be third party options as well), and selecting
either of these causes all the candidates of the corresponding party to be voted for, down
to the lowest office on the ticket. However, there is absolutely no requirement in GEMS
to include any particular candidate or race in any Straight Party option.

For example, Bush could have been included in the Republican Straight Party ticket in
the race for President, while Kerry could have been excluded from the Democratic
Straight Party ticket. Unless a third-party candidate such as Badnarik or Nader were
substituted for Kerry, all the Democratic Straight Party votes cast would show undervotes
for President. While DREs provide a warning to the voter that this is happening, via the
Summary screen, a voter is allowed to continue without correcting this "error."
Additionally, the Diebold Accuvote Op Scans, by default, are set NOT to warn the voter
about any potential ballot errors. This is yet another feature that could have been
exploited, but for the sake of brevity, I will omit it from this discussion.

In the above example, we would have a situation where greater than expected undervotes
or greater than expected third party votes for President could raise suspicions of fraud,
assuming such things were actually examined in detail by election officials or the public.

Straight Party voting was allowed in 17 states in 2004 (AL, IA, IN, KY, MI, MO, NC,
NH, NM, OK, PA, RI, SC, TX UT, WI and WV), some of which were decided by very
narrow margins. However, not all of these states had the same procedures.

NC and SC, Bush won decisively, but in these states, the law requires a separate vote for
president. By excluding the presidential race from the Straight Party option, voters were
required to choose a presidential candidate separately, possibly resulting in excessive
presidential undervotes. Also, as noted above, there is no requirement in GEMS to either
include or exclude all the candidates for President from the Straight Party option.

In PA, where Kerry won by about 2%, cross-party votes on an otherwise straight-party
ballot are handled differently than in other states: Any cross-party vote must override the
Straight Party option. So, a Republican Straight Party voter who selected Kerry for
President in PA would have had her vote counted for Kerry. Of course, the same would
have been true of a Democrat in PA who voted for his straight party and also chose Bush.
In other states, this would not necessarily have been the case.

Page |4
Predetermination of Electoral Outcomes Through Exploitable Features of an Election Management System

Outside of PA, the default Straight Party voting option for Diebold DRE machines
cancels any cross-party selection made prior to selecting the Straight Party ticket. So
even with a correctly configured Straight Party race, any Republicans for Kerry or
Democrats for Bush could have had some difficulty casting their votes for President in a
straight-party voting state other than PA. Given the less than 1% victory margin for Bush
in both IA and NM in 2004, even a configuration error or ambiguous voting instructions
could have decided these states.

On average, the vote tallies for Kerry deviated further from the NEP Exit Polls in states
with Straight Party voting, than in states without Straight Party voting (-2.03% vs. -
1.77% respectively). This suggests the possibility that Straight Party voting (which has
historically favored Democrats by a small margin) could have been exploited to favor
Bush through incorrect or malicious machine configuration, but this would not have
changed the outcome of the election. Many of the Straight Party states were not swing
states and some actually ended up favoring Kerry.

So how could one have guaranteed a win for the candidate of their choice, using the
available administrative features in GEMS, without triggering an excessive number of
undervotes, third party votes or unexpected reversals in outcomes? One answer lies in the
exploitation of a combination of GEMS features that would not have been detected by the
voters. Here is how it could have been done:

STEALTH “STRAIGHT PARTY” VOTING

In any Diebold jurisdiction, a Straight Party controlling race could have been defined on
the ballot and made to appear as a race between two candidates at the bottom of the ticket
by editing the ballot text as described above. Let’s take a race for Dog Catcher for
example. Suppose one knew that in a given jurisdiction, traditionally 10% of voters
actually voted for Dog Catcher divided roughly 50/50 between the Democratic and
Republican candidates. The race could have been defined as follows:

The Democratic and Republican candidates’ names appeared on the ballot; the race was
called “Dog Catcher” and was labeled in the database as such. But instead of just a race
between the two candidates for Dog Catcher, this race was defined as a Straight Party
controlling race. The race for President was set up to accept votes from the Dog Catcher
race as part of a Straight Party voting option. But only one presidential candidate was
actually linked to the Straight Party Dog Catcher race: George W. Bush -- and he was
linked to the Democratic rather than the Republican candidate for Dog Catcher. Since the
PA Straight Party option was not enabled (by default), any previous choice of Kerry
would have switched to Bush.

Page |5
Predetermination of Electoral Outcomes Through Exploitable Features of an Election Management System

Unbeknownst to the voters, when they selected the Democratic candidate for Dog
Catcher they would also have been casting a vote for Bush for President. Because Dog
Catcher was at the bottom of the ballot, few would have noticed the change in their
Presidential vote from Kerry to Bush and in the case of Op Scans, the voters may not
have been alerted to this at all. Unless the voter changed the vote for Dog Catcher or
President at the DRE Summary screen, Bush would have received the presidential vote
from a likely Democratic voter.

Meanwhile, both candidates for Dog Catcher would have received the correct number of
votes. Even though this race was defined as a Straight Party controlling race, there were
no candidates elsewhere on the ballot actually linked to the Republican choice. So, voters
could have voted Republican for Dog Catcher without any unauthorized changes to votes
cast elsewhere on the ballot.

The net effect of this would have been for Bush to gain up to 5% more votes relative to
Kerry, since Bush was guaranteed to receive as many votes as the Democratic candidate
for Dog Catcher. These two candidates were exclusively linked in GEMS, with the
Democratic candidate for Dog Catcher directing votes to the Republican candidate for
President of the United States. John Kerry and all the other candidates on the ballot
would have been excluded from the straight party ticket in GEMS and would therefore
have gained no additional votes whatsoever. Any legitimate vote for Bush would not
have been altered, since there were no Straight Party controlling races linked to any other
Presidential candidate.

Thus, by appropriately choosing the controlling race used to set up the Straight Party
option, as many votes could have been switched to Bush as were necessary to ensure his
victory. The only knowledge required beforehand was the percentage of voters who
historically voted in each of the races on the ballot.

Another advantage of this method is that a candidate’s total could have been padded in
jurisdictions where he would ordinarily have won anyway, thus enhancing his chances of
winning a statewide decision, or winning the popular vote, while not arousing suspicion.
I.e., this technique would have disenfranchised the opposition party in areas where they
were already weak, thereby not raising any red flags.

Of course, it’s illegal to have straight party voting in all but the 17 states that allow it, but
then so is election fraud. Anyone willing to commit the latter crime would have no
concern about the former, especially if the whole thing could be blamed on a “software
glitch.” The fact that such features are readily available in GEMS, which is often
configured by outside (non-BOE) contractors, means that plausible deniability and lack
of accountability by election officials are inherent in the process.

Page |6
Predetermination of Electoral Outcomes Through Exploitable Features of an Election Management System

SUGGESTIONS FOR FURTHER RESEARCH AND INVESTIGATION

I hope this work will be disseminated to the experts in the field and those who might have
a way to investigate these possibilities further or even disprove them. Unfortunately, the
author did not have time to evaluate the GEMS software and disseminate the results of
that evaluation concurrently, much less to do actual on-the-ground investigation. So, I
trust that you, the readers, will disseminate and investigate if you deem this worthy of
further study.

Note also that these discoveries were made after only a one-month part-time evaluation
of GEMS software by one individual. It therefore seems likely that someone with more
time or resources intent on altering the outcome of an election would be able to find even
more ways to do so within the framework of the existing software, or that produced by
other vendors.

The configurations discussed are all permitted in GEMS with no error messages or
warnings given to prohibit their use, indicating that they should work in the full client-
server environment (GEMS servers with Diebold Accuvote-TS DRE and/or Accuvote-
OS Op Scan clients). To confirm the feasibility of these exploits, a DRE and Op Scan
client would therefore have to be evaluated along with a GEMS server. The author only
had access to the latter.

Research into actual 2004 or prior election results in states that allowed Straight Party
voting, and particularly in those that did not allow it (where either an overt, or the above
stealth Straight Party voting technique could have been illegally implemented) should be
undertaken as soon as possible.

Search material could include:

- EIRS incident reports;

- Election results;
- GEMS configurations or reports;
- Poll tapes (precinct-level reports);
- Leaked internal Diebold memos or “bug” reports;
- Forensic analysis of GEMS hard drives or backup media, etc.

Page |7
Predetermination of Electoral Outcomes Through Exploitable Features of an Election Management System

The objects of such searches would be any suspicious voting patterns consistent with the
improper configuration settings discussed here, or the actual configurations themselves.

Evaluate other features of GEMS to determine how they might be exploited individually
or in combination, such as:

- Op Scan Ballot Reject Settings and Tally Settings (all of which are disabled by
default);
- “Vote-for > 1” Races (in which DRE voters are not alerted about possible
undervotes);
- Jurisdictional Definitions;
- Reports;
- Known and undiscovered bugs, etc.

Evaluate other e-voting systems to determine their potential for exploitation.

Encourage whistleblowers to come forward.

Roxanne Jekot, RIP

Georgia

Page |8