Expanded Executive Summary

AES 2010: Crisis Management Forum

This forum was a gathering of selected key experts, critics, and advocates who are familiar with,
involved in, and knowledgeable about the country's first-ever full scale election automation to be
held on May 10, 2010. The full scale automation of elections will include the use of the Precinct
Count Optical Scanning (PCOS) machines as well as the use of the Counting and Canvassing
System (CCS) as among the components of the Automated Election System (AES). This is in
accordance with the provisions of Republic Act 8436 as amended by RA 9369 which is the
election automation law, of RA 8792 known as the e-Commerce Act, and of RA 9525 known as
the 2009 supplemental budget for the purchase or lease of the AES.

I. PROGRAM OBJECTIVE

The aim of this assembly was to build a consensus among stakeholders and concerned groups in
order to encourage collaboration among them in their response to crises related to the
implementation of the AES.

II. PURPOSES

1. To validate the issues and concerns raised by different sectors on the vulnerabilities of the
AES;
2. To determine and establish the grounds for ensuring the credibility and integrity of the
AES;
3. To identity potential problem areas and assess the impact of the perceived AES failures;
and
4. To produce, as an output of the forum, a document reflecting forum recommendations
and suggested courses of action.

III RATIONALE

Approximately two (2) weeks from today, the Philippine Republic will engage in and witness the
first-ever multi-billion peso information and communications technology (ICT) project
automating the highly contested national and local elections of May 10, 2010. The steps taken
and the activities undertaken or not, as reported in the news, have resulted in some quarters
becoming hopeful and wanting to see this bold innovation succeed. On the other hand, the same
steps and activities have caused others to become skeptical and to worry that failures may cause
increased instability in this young democracy that is the Philippines.

The Philippine Computer Society, as the first and therefore the oldest organization of ICT
professionals (established in 1967), has continuously advocated for reforms in the Philippine
electoral system. Since the time of ratification of the Philippine Constitution of 1987, PCS has
served as advisor or consultant to the Commission on Elections, and as member of the various
Technical Working Groups of the legislative branch of government. With a membership

Page | 1
composed of management professionals and industry-based practitioners, PCS has been and is in
a position to take stock of issues and respond to concerns that have recently hogged the
limelight. PCS, with the intention of mitigating risks and containing crises, can generate
awareness among and respond to voiced threats and fears of an anxious citizenry.

ICT has been chosen as the principal tool for ridding the Philippine electoral system of fraud.
Implementation of such a choice, however, is not as simple as purchasing a ready solution from
over the counter of a supermarket. There are other tasks involved – such as hardware and
software systems configuration, transmission, networking and communications security, process
and change management, as well as risk and crisis management leading to the drafting of a
contingency plan. This forum was instituted to initially identify and classify the risks to be
mitigated. In the event the foreseen failures and crisis events do occur, a continuity plan must
have been planned – as prescribed in Section 10[13] of RA 9369 under the heading Continuity
Plan – to enable COMELEC to issue this plan to the public not later than fifteen (15) days before
election day. That day is this Sunday April 25, 2010.

Page | 2
IV. PARTICIPANTS

Participants were representatives of: Industry associations and professionals; Academic and
research community; Civil society organizations; Political stakeholders; Peace and order
enforcers; and Judicial and legal community

1LT Lynbert Abrav Armed Forces of the Philippines

Ms. Maricor Akol PhilNITS
Ms. Kristine Alave inquirer.net
Mr. Suniel Aragon S/Mate Computer
Mr. Allan Borra DLSU-Manila
Mr. Larry Brouhard Global News Network
Ms. Ma. Chezka Buhay Far East Broadcasting Co.
Mr. Ferdinand Cajanding Far East Broadcasting Co.
Mr. Edmundo Casiño Philippine Computer Society
CPL Maureen Caurel Signal Group, Philippine Army
Mr. Anthon Cayaco DND-OPLA
Mr. Nelson Celis Philippine Computer Society
Mr. Rolly Corpus Philippine Computer Society
COL Dante Costes Signal Group, Philippine Army
Ms. Nimya Dacanay Philippine Computer Society
MAJ Romana Gregoria Gernale Signal Group, Philippine Army
Ms. Karla Guia IFES Philippines
Mr. Jaime Hernandez CenPEG
PFC Fevelyn Ilaw Signal Group, Philippine Army
Association of Schools & Public
Ms. Grace Jamon
Administration of the Phils. (ASPAP)
MAJ Rommel Juntilla OG6, Philippine Army
CAPT Jeejal Levina Signal Group, Philippine Army
COL Jesus Lomeda Armed Forces of the Philippines
Mr. Ben Madgett Carter Center
Ms. Angelique Magboo CenPEG
Mr. Carlos Manuel Philippine Computer Society
Mr. Edgardo Marquez PLDT
Mr. Jed Martinez Far East Broadcasting Co.
Ms. Pamela Jane Mendoza JPCS- AMA Computer University QC
Mr. Samson Milanes, Jr. Netsys Consulting Solutions
Mr. Gabe Morris Carter Center
Mr. Leo Querubin Philippine Computer Society
COL Rico Raqueño OG6, Philippine Army
Ms. Florian Salcedo CenPEG
Mr. Ley Salcedo iOne Resources
Dr. Arwin Serrano PPCRV
Mr. Antonio Tinsay Philippine Computer Society
Mr. Peter Trolio Pacific Strategies & Assessments
Ms. Tina Villamin Digi Leaf
Page | 3
V. PROGRAM OF ACTIVITIES

Time Topic Speakers

7:00am Arrival/registration of attendees
7:30 Breakfast
8:45 Invocation/Phil. National Anthem
8:50 Mr. Nelson J. Celis
Opening Remarks
President, PCS
9:00 Introduction of participants
9:05 Mr. Edmundo G. Casiño
Environmental Scan
Director, PCS
Mr. Augusto C. Lagman
9:30 Is Automated “Garci” Possible?
Chairman and Co-CEO, Vinta Systems, Inc.
Atty. Al S. Vitangcol III
Managing Lawyer of AVALaw
10:30 AES Credibility Matters
President and Chief Systems Officer of
i-technoLAWgy Systems Solutions Inc.
11:30 Mr. Lito Averia
Business Continuity
PH-CERT
12:10 nn Lunch Break

1:00pm Atty. Simeon V. Marcelo

Open Letter to COMELEC
President, Philippine Bar Association

1:30 Risk Controls Mr. Telibert Laoc

National Democratic Institute
Mr. Christian Monsod
2:00 The Conduct of Elections – An Assessment
Former Chairman, COMELEC
3:00 Coffee Break
Validating Election Results: Mr. Nelson J. Celis
3:30
Random Manual Audit President, PCS
Legal Issues on Cryptography Dr. Atty. Noel Ramiscal
4:00 Prosecutor and Professor
Mitigation on Technical Issues University of the Philippines – Los Baños
Enhancing AES Transparency & Results Mr. Antonio G. Tinsay
4:30
Acceptability Vice President, PCS
Panel Discussion on Mitigation Measures
Panelists: Moderators:
5:15 Mr. Edmundo Casiño Mr. Carlos Manuel
Mr. Antonio Tinsay
Mr. Nelson Celis Director, PCS
Atty. Al Vitangcol III
Atty. Dr. Noel Ramiscal Mr. Rolando Corpus
Internal Auditor, PCS
6:00 Mr. Antonio G. Tinsay
Closing Remarks
Vice President, PCS

Page | 4
VI. ISSUES AND AREAS OF CONCERN IDENTIFIED

1. Digital signature / certificate

Due to their possession of the private keys, Smartmatic and its associates can, undetected,
make changes to the precinct election results.

2. UV mark / lamp

The PCOS UV scanner was disabled due to its failure to perform its function of
validating the ballots.

3. Terms of Reference (TOR)

The standards and benchmarks for certification and acceptance of PCOS and System
Software were “lowered, altered, and even deviated” from the original terms and
conditions to “accommodate” the specs and capabilities of the PCOS machines provided
by the winning bidder – an accommodation not made available to other bidders.

4. Systems verification

There is no available evidence that COMELEC neither Smartmatic-TIM has subjected

the physical components of the voting system (the production models) to independent
review.

5. Source code

COMELEC has not released the standards against which the source code should be
tested. This increases the fear that malicious codes can be embedded that will enable
“dagdag -bawas”. Source code review results (PCOS and canvassing systems) and Test
Certifications (PCOS and canvassing systems at the municipal, provincial, national and
disaster recovery / continuity sites) have not been made available for public scrutiny.

6. Memory card

The separate memory cards of the voting machines increases the vulnerability of the
automated electoral system software since placing the software on an external memory
disk or flash drive complicates the voting system functionality and opens up opportunities
for damage, tampering, and alteration.

7. Transmission infrastructure

Nationwide power / electricity shortages and black outs could occur on Election Day,
specially in remote areas. Lack of data transmission availability via wired, wireless, and
satellite could affect transmittal of precinct data.

Page | 5
8. PCOS distribution

Delivery of 82,200 counting machines across the 7,100 islands that comprise the
Philippine archipelago before May 2010 would be a near impossible challenge even for a
developed country. Smartmatic’s dependence on local logistics subcontractors may
contribute to the problem.

9. Technical support

The continuing difficulty of the Smartmatic-TIM consortium in finding qualified

technology specialists, would adversely affect the poll automation project since it is these
people that are expected to provide the training and support required by the automated
electoral system.

10. Training and awareness for those who will man the polls

The delay in the training of some 400,000 public school teachers, who are expected to
man the clustered polling precincts, could lead to their poor grasp of the nature of and
their role in poll automation.

11. Unabated and large volume of election-related protests

Due to the many loop holes and weak provisions of the AES 2010, any losing candidate
can file an election protest for the simple reason of questionable, rigged and unreliable
system. This can result in anarchy. Our judiciary system (which handles election protests)
is not yet properly equipped to handle automated election related protests.

Page | 6
VII. SUGGESTED COURSE OF ACTION

1. UV mark / lamp

Due to the deviation from the terms and conditions of the Terms of Reference for AES 2010,
the group finds the purchase of hand-held UV-scan units of no security value and purpose
and as such, recommends cancellation of the acquisition.

2. Data retention policy

Due to possible election protests that may arise, the group recommends that data – both raw
and transmission results – be retained for a period of 5 years starting 3 days before elections.

3. Type and kind of encryption Smartmatic is using

The public needs to be informed of the identities of the individuals holding the encryption
key and the number of times the key will need to be used. The encryption key should also be
changed regularly to avoid breaching of access to eKeys. Even if asymmetric technology is
used, there is still a strong possibility that the AES could be hacked. It is requested that the
Technical Evaluation Committee should conduct the certification of the security features of
AES (i.e., encryption, digital signatures, and digital certificates) that is compliant with RA
8792.

4. Operation of disaster recovery site

This serves as a back site to be used in case of contingencies that may arise. The TEC should
also test and certify this site along with the canvassing systems at the municipal, provincial
and national levels.

5. Digital signature / certificate

This can be the biggest source of fraud. Smarmatic has ownership and total control, with no
audit and testing procedure required. A private meeting with selected participants and
Smarmatic to tackle issues regarding this matter would be helpful. But it must happen
immediately. COMELEC, Smartmatic-TIM and COMELEC’s Advisory Council failed to
inform the public regarding this issue.

6. Precinct-by-Precinct Parallel Manual Count

While technically we are not inclined to suggest this as this will defeat the principal purpose
of automation (accuracy, speed, and no more time to implement dagdag-bawas), expose the
ballots to tampering (deliberate or otherwise), impose additional functions and
responsibilities on already overworked and overstressed poll officials – we can acquiesce to
the conduct of a parallel manual count (not 100%) if only to give way to a larger and more
important consideration – the credibility and acceptability of the results of poll automation by
the general public.

Page | 7
 Our recommendation then is to limit the parallel manual count to one precinct per voting
center / school (38,000 precincts) and to further limit the manual count to the position of
president only. This limitation will facilitate manual counting as it will require only the
speedy sorting of ballots.

In the instance that the discrepancy between automated and manual results exceeds one
percent, the digital images of the ballots should be compared with the physical ballots to
determine the cause of the discrepancy. Only after this has been accomplished should all
precincts of that voting center / school be subjected to parallel manual count.

A very important rule that should be observed in conducting the parallel manual count is for
the human to do the counting in accordance with the rules followed by the machine. This is a
non-negotiable condition because if the manual count were to accept for counting check
marks, x-marks, lotto-type shading, underlines, encircles and dot marks, the machine and
manual counts will likely not agree. The manual count should void ballots which the
machine would void (due to markings such as smudges and markings on the timing,
positioning lines, and bar codes areas). The manual count should invalidate ballots which the
machine would invalidate.

7. Hash Codes
We strongly recommend the use of hash codes. We also recommend that the file size, the
date/time stamp of the various executables loaded into the PCOS and canvassing laptops be
made public through publication in major national newspapers. This will allow stakeholders
to check whether executables loaded in machines are as specified. This will enhance the
perception of transparency and will help allay fears that official versions of executables have
been substituted with ones with sleeper codes.

8. End-to-End Mock Elections (dry run)

This process is required by law as such, its conduct is highly recommended. The conduct of
which, will provide valuable inputs that will help all interested parties fine tune all
infrastructure, systems and manpower performance.
The process should involve the following (as a minimum):

 There should be at least two precincts to be tested (five or ten is better) for one
congressional district. Each precinct should have 1000 test- ballots, included in which
should be at least one vote per candidate. This will allow demonstration of the
machine’s accurate counting and faithful reporting of all votes cast for each
candidate.
 The machine-generated and manually-generated election results should be compared.
 If the results are found to be identical, the public demonstration of the electronic
transmission process should then proceed. This process begins with the BEIs affixing
their digital signatures onto the electronic election returns (ERs), encrypting the
election returns, then transmitting the electronic election returns to the seven
recipients prescribed by law. The process includes reporting of which of the seven
intended recipients received or did not receive the data transmitted.
Page | 8
  At the city / municipal BOC level, the BOC should be convened.
 As soon as the initialization chores are completed, publicly exhibit the process of
authenticating the digital signs of the transmitting BEIs, decrypting the encrypted ER,
proceeding with the canvassing, and continuing on to the COC /SOVP processing and
printing and reporting. At this point, the COC data should be compared with the sums
inferred from the relevant ERs.
 Still at the BOC level, publicly display the process of having the members of the
BOCs digitally signing the COCs / SOVPs, encrypting the data, actually doing the
transmission of the canvassed results to the provincial level.
 Repeat the last two bulleted items above at the provincial and as well as at the
national level, always comparing the resulting totals with the totals inferred from the
documents from which the data were culled.

The public demonstration of the process at every level and the public showing of consistent
and accurate results and reports at every level would significantly enhance the people’s
confidence in the trustworthiness of the processes and results of the automated election
system.

9. Source Code Review

Inasmuch as the applications systems are already final and deployed at this time, then
COMELEC has no more reason not to disclose the source code of these systems.

10. Ethical hacking, penetration test

The group is requesting for clearance from COMELEC to ethically hack AES now and not
on election day so Smartmatic will still have the time to install safeguards if the penetration
testing would find high risk vulnerabilities.

Page | 9
VIII. OTHER RECOMMENDATIONS

1. Enhancing Public Trust and Acceptance

The perception of the public on the AES 2010 leaves much to be desired for it has come
under extreme attacks and denunciation from all sectors of the society. The truth is
perception can be more powerful than reality for it can boost belief and confidence for
the government or encourage the formation of anarchy. To enhance public perception of
transparency and to increase public trust in the process and results, we recommend a
series of steps outlined in Appendix A entitled “Enhancing AES Transparency &
Results Acceptability”.

2. AES 2010 Task Force

To markedly improve public perception of the AES, most specially to enhance public
trust in and acceptance of the results of the AES, we recommend the formation of a 12-
person task force, the members of which will be recommended and appointed by both the
DND and PCS. The task force requires proper funding and logistical support. The task
force shall begin to operate ASAP and continue to operate until the national officials of
the Republic shall have each taken their oath of office.

a) Conduct, between now and election time, random spot checks of selected areas
regarding the availability of individuals that have been “hired” as technical support
personnel to serve on election day. The Junior PCS has chapters of sufficient number
and spread (all over the country) to facilitate this kind of undertaking.

b) PCS can hold pocket sessions or private meetings at selected sites all over the country
to present to and discuss with key political parties, members of the judiciary, and
other interested parties the results and findings of the AES 2010: Crisis Management
Forum.

c) Undertake “performance monitoring” in terms of technology compliance on the part

of both COMELEC and Smartmatic; and thence submit timely reports to appropriate
parties on a regular basis. The information gathered will serve as basis for
recommendations for future action.

d) PCS can conduct special sessions for members of the Philippine judiciary and law
enforcement agencies to aid them in handling technical issues associated with
automated election protests. Sessions can be conducted between now and the
proclamation of the winning national candidates.

Page | 10
IX. CONCLUSION

When the group was asked, “What are the chances of COMELEC listening to and
implementing our requests and suggestions?” The group response was not optimistic. It
was felt that COMELEC might grant small concessions to appease the general public;
but, by and large, because of the few days remaining, major changes can no longer be
expected. The group’s energy and focus would be better directed at monitoring the
activities of COMELEC and Smartmatic so as to be able to immediately assess the
impact of their actions. This activity should extend even after the elections on May 10.
The probability of right action is higher when timely up-to-date information is present.

Page | 11