Beruflich Dokumente
Kultur Dokumente
I. PROGRAM OBJECTIVE
The aim of this assembly was to build a consensus among stakeholders and concerned groups in
order to encourage collaboration among them in their response to crises related to the
implementation of the AES.
II. PURPOSES
1. To validate the issues and concerns raised by different sectors on the vulnerabilities of the
AES;
2. To determine and establish the grounds for ensuring the credibility and integrity of the
AES;
3. To identity potential problem areas and assess the impact of the perceived AES failures;
and
4. To produce, as an output of the forum, a document reflecting forum recommendations
and suggested courses of action.
III RATIONALE
Approximately two (2) weeks from today, the Philippine Republic will engage in and witness the
first-ever multi-billion peso information and communications technology (ICT) project
automating the highly contested national and local elections of May 10, 2010. The steps taken
and the activities undertaken or not, as reported in the news, have resulted in some quarters
becoming hopeful and wanting to see this bold innovation succeed. On the other hand, the same
steps and activities have caused others to become skeptical and to worry that failures may cause
increased instability in this young democracy that is the Philippines.
The Philippine Computer Society, as the first and therefore the oldest organization of ICT
professionals (established in 1967), has continuously advocated for reforms in the Philippine
electoral system. Since the time of ratification of the Philippine Constitution of 1987, PCS has
served as advisor or consultant to the Commission on Elections, and as member of the various
Technical Working Groups of the legislative branch of government. With a membership
Page | 1
composed of management professionals and industry-based practitioners, PCS has been and is in
a position to take stock of issues and respond to concerns that have recently hogged the
limelight. PCS, with the intention of mitigating risks and containing crises, can generate
awareness among and respond to voiced threats and fears of an anxious citizenry.
ICT has been chosen as the principal tool for ridding the Philippine electoral system of fraud.
Implementation of such a choice, however, is not as simple as purchasing a ready solution from
over the counter of a supermarket. There are other tasks involved – such as hardware and
software systems configuration, transmission, networking and communications security, process
and change management, as well as risk and crisis management leading to the drafting of a
contingency plan. This forum was instituted to initially identify and classify the risks to be
mitigated. In the event the foreseen failures and crisis events do occur, a continuity plan must
have been planned – as prescribed in Section 10[13] of RA 9369 under the heading Continuity
Plan – to enable COMELEC to issue this plan to the public not later than fifteen (15) days before
election day. That day is this Sunday April 25, 2010.
Page | 2
IV. PARTICIPANTS
Participants were representatives of: Industry associations and professionals; Academic and
research community; Civil society organizations; Political stakeholders; Peace and order
enforcers; and Judicial and legal community
Page | 4
VI. ISSUES AND AREAS OF CONCERN IDENTIFIED
Due to their possession of the private keys, Smartmatic and its associates can, undetected,
make changes to the precinct election results.
2. UV mark / lamp
The PCOS UV scanner was disabled due to its failure to perform its function of
validating the ballots.
The standards and benchmarks for certification and acceptance of PCOS and System
Software were “lowered, altered, and even deviated” from the original terms and
conditions to “accommodate” the specs and capabilities of the PCOS machines provided
by the winning bidder – an accommodation not made available to other bidders.
4. Systems verification
5. Source code
COMELEC has not released the standards against which the source code should be
tested. This increases the fear that malicious codes can be embedded that will enable
“dagdag -bawas”. Source code review results (PCOS and canvassing systems) and Test
Certifications (PCOS and canvassing systems at the municipal, provincial, national and
disaster recovery / continuity sites) have not been made available for public scrutiny.
6. Memory card
The separate memory cards of the voting machines increases the vulnerability of the
automated electoral system software since placing the software on an external memory
disk or flash drive complicates the voting system functionality and opens up opportunities
for damage, tampering, and alteration.
7. Transmission infrastructure
Nationwide power / electricity shortages and black outs could occur on Election Day,
specially in remote areas. Lack of data transmission availability via wired, wireless, and
satellite could affect transmittal of precinct data.
Page | 5
8. PCOS distribution
Delivery of 82,200 counting machines across the 7,100 islands that comprise the
Philippine archipelago before May 2010 would be a near impossible challenge even for a
developed country. Smartmatic’s dependence on local logistics subcontractors may
contribute to the problem.
9. Technical support
10. Training and awareness for those who will man the polls
The delay in the training of some 400,000 public school teachers, who are expected to
man the clustered polling precincts, could lead to their poor grasp of the nature of and
their role in poll automation.
Due to the many loop holes and weak provisions of the AES 2010, any losing candidate
can file an election protest for the simple reason of questionable, rigged and unreliable
system. This can result in anarchy. Our judiciary system (which handles election protests)
is not yet properly equipped to handle automated election related protests.
Page | 6
VII. SUGGESTED COURSE OF ACTION
1. UV mark / lamp
Due to the deviation from the terms and conditions of the Terms of Reference for AES 2010,
the group finds the purchase of hand-held UV-scan units of no security value and purpose
and as such, recommends cancellation of the acquisition.
Due to possible election protests that may arise, the group recommends that data – both raw
and transmission results – be retained for a period of 5 years starting 3 days before elections.
The public needs to be informed of the identities of the individuals holding the encryption
key and the number of times the key will need to be used. The encryption key should also be
changed regularly to avoid breaching of access to eKeys. Even if asymmetric technology is
used, there is still a strong possibility that the AES could be hacked. It is requested that the
Technical Evaluation Committee should conduct the certification of the security features of
AES (i.e., encryption, digital signatures, and digital certificates) that is compliant with RA
8792.
This serves as a back site to be used in case of contingencies that may arise. The TEC should
also test and certify this site along with the canvassing systems at the municipal, provincial
and national levels.
This can be the biggest source of fraud. Smarmatic has ownership and total control, with no
audit and testing procedure required. A private meeting with selected participants and
Smarmatic to tackle issues regarding this matter would be helpful. But it must happen
immediately. COMELEC, Smartmatic-TIM and COMELEC’s Advisory Council failed to
inform the public regarding this issue.
While technically we are not inclined to suggest this as this will defeat the principal purpose
of automation (accuracy, speed, and no more time to implement dagdag-bawas), expose the
ballots to tampering (deliberate or otherwise), impose additional functions and
responsibilities on already overworked and overstressed poll officials – we can acquiesce to
the conduct of a parallel manual count (not 100%) if only to give way to a larger and more
important consideration – the credibility and acceptability of the results of poll automation by
the general public.
Page | 7
Our recommendation then is to limit the parallel manual count to one precinct per voting
center / school (38,000 precincts) and to further limit the manual count to the position of
president only. This limitation will facilitate manual counting as it will require only the
speedy sorting of ballots.
In the instance that the discrepancy between automated and manual results exceeds one
percent, the digital images of the ballots should be compared with the physical ballots to
determine the cause of the discrepancy. Only after this has been accomplished should all
precincts of that voting center / school be subjected to parallel manual count.
A very important rule that should be observed in conducting the parallel manual count is for
the human to do the counting in accordance with the rules followed by the machine. This is a
non-negotiable condition because if the manual count were to accept for counting check
marks, x-marks, lotto-type shading, underlines, encircles and dot marks, the machine and
manual counts will likely not agree. The manual count should void ballots which the
machine would void (due to markings such as smudges and markings on the timing,
positioning lines, and bar codes areas). The manual count should invalidate ballots which the
machine would invalidate.
7. Hash Codes
We strongly recommend the use of hash codes. We also recommend that the file size, the
date/time stamp of the various executables loaded into the PCOS and canvassing laptops be
made public through publication in major national newspapers. This will allow stakeholders
to check whether executables loaded in machines are as specified. This will enhance the
perception of transparency and will help allay fears that official versions of executables have
been substituted with ones with sleeper codes.
There should be at least two precincts to be tested (five or ten is better) for one
congressional district. Each precinct should have 1000 test- ballots, included in which
should be at least one vote per candidate. This will allow demonstration of the
machine’s accurate counting and faithful reporting of all votes cast for each
candidate.
The machine-generated and manually-generated election results should be compared.
If the results are found to be identical, the public demonstration of the electronic
transmission process should then proceed. This process begins with the BEIs affixing
their digital signatures onto the electronic election returns (ERs), encrypting the
election returns, then transmitting the electronic election returns to the seven
recipients prescribed by law. The process includes reporting of which of the seven
intended recipients received or did not receive the data transmitted.
Page | 8
At the city / municipal BOC level, the BOC should be convened.
As soon as the initialization chores are completed, publicly exhibit the process of
authenticating the digital signs of the transmitting BEIs, decrypting the encrypted ER,
proceeding with the canvassing, and continuing on to the COC /SOVP processing and
printing and reporting. At this point, the COC data should be compared with the sums
inferred from the relevant ERs.
Still at the BOC level, publicly display the process of having the members of the
BOCs digitally signing the COCs / SOVPs, encrypting the data, actually doing the
transmission of the canvassed results to the provincial level.
Repeat the last two bulleted items above at the provincial and as well as at the
national level, always comparing the resulting totals with the totals inferred from the
documents from which the data were culled.
The public demonstration of the process at every level and the public showing of consistent
and accurate results and reports at every level would significantly enhance the people’s
confidence in the trustworthiness of the processes and results of the automated election
system.
Page | 9
VIII. OTHER RECOMMENDATIONS
To markedly improve public perception of the AES, most specially to enhance public
trust in and acceptance of the results of the AES, we recommend the formation of a 12-
person task force, the members of which will be recommended and appointed by both the
DND and PCS. The task force requires proper funding and logistical support. The task
force shall begin to operate ASAP and continue to operate until the national officials of
the Republic shall have each taken their oath of office.
a) Conduct, between now and election time, random spot checks of selected areas
regarding the availability of individuals that have been “hired” as technical support
personnel to serve on election day. The Junior PCS has chapters of sufficient number
and spread (all over the country) to facilitate this kind of undertaking.
b) PCS can hold pocket sessions or private meetings at selected sites all over the country
to present to and discuss with key political parties, members of the judiciary, and
other interested parties the results and findings of the AES 2010: Crisis Management
Forum.
d) PCS can conduct special sessions for members of the Philippine judiciary and law
enforcement agencies to aid them in handling technical issues associated with
automated election protests. Sessions can be conducted between now and the
proclamation of the winning national candidates.
Page | 10
IX. CONCLUSION
When the group was asked, “What are the chances of COMELEC listening to and
implementing our requests and suggestions?” The group response was not optimistic. It
was felt that COMELEC might grant small concessions to appease the general public;
but, by and large, because of the few days remaining, major changes can no longer be
expected. The group’s energy and focus would be better directed at monitoring the
activities of COMELEC and Smartmatic so as to be able to immediately assess the
impact of their actions. This activity should extend even after the elections on May 10.
The probability of right action is higher when timely up-to-date information is present.
Page | 11