GEMS Tabulation Database Design Issues in Relation to Voting Systems Certification Standards

This paper analyzes the Diebold Election Systems, Inc. election management software (GEMS) using publicly accessible postings of GEMS election databases. It finds that the GEMS architecture fails to conform to fundamental database design principles and software industry standards for ensuring accurate data. Thus, in election tabulations, aspects of the GEMS design can lead to, or fail to protect against, erroneous reporting of election results. Further, GEMS’s dependence on Microsoft’s JET technology introduces additional risks to data accuracy and security. Despite these technical and systemic deficiencies, GEMS received approval as complying with Federal Voting System 2002 standards. Questions then arise concerning the adequacy of the 2002 and 2005 regulatory standards. The paper concludes that the standards structurally encourage and reward election system vendors for using less exacting database design standards. With unprecedented Federal funding available to States under the Help America Vote Act of 2002 (HAVA), election administration has become highly reliant on computer technologies. While some continue to praise the new voting and tabulation technologies as a significant advance, the augmented computerization has introduced new possibilities for wide-impact election operational errors and may have opened new avenues for tampering with election results. Previous vulnerability analyses have focused on a direct-recording electronic (DRE) voting machine, a paper ballot optical scanning device, 1 J.D., 2007; Technical Staff, Center for Election Integrity, Cleveland State University. 2 Director, Center for Election Integrity and Associate Professor of Law, Cleveland State University. This paper was submitted to EVT/USENIX on April 23, 2007, accepted for publication on June 1, 2007, and will be presented at the EVT ’07 Conference on August 6, 2007. A longer version will be available by August 1, 2007 (posted in the Working Papers section, Center for Election Integrity website, www.urban.csuohio.edu/cei/) that is styled for the nontechnical audience. The Center initiated the Collaborative Public Audit of the November 2006 election in Cuyahoga County cited here, and its staff provided technical analysis for the audit. 3 42 U.S.C. §§ 15301 – 15545 (2006). 4 Ariel J. Feldman et al., Security Analysis of the Diebold AccuVoteTS Voting Machine, (Sept. 13, 2006), at http://itpolicy.princeton.edu/voting/ts-paper.pdf. computerized vote-tallying, and a pilot test of internet voting. But the systemic design features of currently utilized election tabulation databases have yet to be closely examined. This paper analyzes the Diebold Election Systems, Inc. (DESI) election management software named Global Election Management System (“GEMS”) using publicly accessible postings of GEMS election databases. It finds that the GEMS architecture violates fundamental design principles and software industry standards for ensuring accurate data. When utilized for election tabulations, the GEMS design can lead to data errors, which in turn create a serious risk for generating erroneous election results. GEMS architectural design plus its use of Microsoft’s JET technology, introduces significant risk of data errors in elections administered using GEMS. Either of these design aspects would be worrisome. For the GEMS database (DB) to have been structured with fundamental flaws at the levels of both system architecture and system technology, and yet still obtain Federal and State certification, raises questions concerning the adequacy of the existing regulatory standards. Thus the paper turns to ask what the relationship is between the regulatory standards and the technical database flaws. It argues the regulatory standards structurally encourage low DB design standards rather than promoting the use of tabulation system architecture that meet widely recognized industry standards for data accuracy and reliability. This paper proceeds by briefly reviewing the DB design principles of the First and Second Normal Forms. In part II, the paper examines the GEMS DB in light of these fundamental design principles, concluding that GEMS does not satisfy even the most 5 Hursti, Hari, Critical Security Issues with Diebold Optical Scan Design, (July 4, 2005), at http://www.blackboxvoting.org/BBVreport.pdf. 6 Saltman, Roy G., Accuracy, Integrity, and Security in Computerized Vote-Tallying, NBS Special Publication 500-158, (August 1988), http://www.itl.nist.gov/lab/specpubs/500-158.htm. 7 David Jefferson, Ari D. Rubin, Barbara Simons, David A. Wagner, A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE), at http://www.cs.berkeley.edu/~daw/papers/servereport.pdf See http://www.equalccw.com/dieboldtestnotes.html and http://www.bbvforums.org/forums/messages/2197/44189.html This paper’s GEMS assessment is perforce limited to examples of the end product but the design flaws are discernible at this level.