Automated Election System

Does automation = clean elections?

Possible Problems: Preliminary Results
Technical Briefing

What is the AES?

l “A system using appropriate technology
which has been demonstrated in the
voting, counting, consolidating,
canvassing, and transmission of election
result, and other electoral process”
process”
 Public perception of the AES
l It would lead to clean elections
l Cheating would be impossible in an
automated election

AES System
l Election Management System (EMS)
l Configuration of precinct data
l Election Mark–
Mark–Up Language (EML)
l Precinct–Count Optical Scan (PCOS)
Precinct–
System
l Precinct Machine
l Consolidation / Canvassing System (CCS)
l BOC Computer
 PCOS Machine

SMARTMATIC AUTOMATED
ELECTION SYSTEM (SAES
1800)

SAES
1800
lPrecinctCount
Optical Scan /
Optical Mark
Reader (OMR)
• Detectsthe
absence or
presence of a
mark in
predefined
positions on a
form
 SAES 1800 Components
RF Key

Thermal Printer
•2-1/4 inch roll paper
•Rated to last 5 years
Digital Scanner
•4-bit mono –
Compact Flash (CF)
color scanner
Card
•16 shades of
gray Input / Output Ports
•CF Card Reader
Processor •UTP Ethernet Port
And Memory •Disabled USB
Ballot Box Not Specified •RJ – 11 Modem Port
Cast and Return
•Buttons Disabled
Display
• Touch screen, mono-color display
•Quarter VGA in size, 320x240 pixels

Ballot Boxes with Compartments in

Transparent Panels the Ballot Box

Transparent Panels Invalid Ballots Valid Ballots

 Software Specifications: Operating
System
l Embedded uClinux
l Possibly with uClibC
l Possibly with GNU core utilities
l Copyrighted under the General Public
License (GPL) open source licensing
scheme

Voting Flow using PCOS - OMR

BEI inserts physical key into Canvassing
PCOS machine to power it

BEIs digitally signs electronic E

BEI inserts CF card into PCOS ER which gets transmitted to
2 machine to configure it municipal, provincial and
national servers

BEIs type passwords to

3 BEI attaches external
initialize the machine – zero
modem to access internet
votes
connection

Voter fills up and feeds

4 BEIs close poll and print ER 5
ballot into the machine
 Configuring the Machine
Smartmatic
CF Card Inserting the Card

Initialization
Initialization Initialization Report

B
 Voting
Feeding the Ballot
Sample Ballot into the Machine

Voting

B
 Election Return
and Transmission of Votes
ER Certification External Modem

Data Flows

CANVASSING LEVELS
 Consolidation Canvassing
System (CCS) – Real -Time
Electoral Information System
(REIS)
l Operating System: GNU/Linux
l Software possibly written in web server
side programming language (e.g. JAVA)

l Cities/Municipal
l Input: ERs from precincts
l Provincial/Congressional
l Input: Statement of Votes and Certificate of
Canvass from Cities/Municipalities
l National
l Congress: President and Vice President contests
l Comelec:: Senators and Party List contests
Comelec
l Input: Statement of Votes
PCOS Machine (counting)
CCS Server (canvassing) -
–
REIS
SAES 1800

Pre-- election * Election * Canvassing * Proclamation

Pre

30 VULNERABILITIES
 6 Vulnerabilities On Voting Day
BEI inserts physical key into
PCOS machine to power it
• Hardware Failure: Start up or
boot failure
BEI inserts CF card into PCOS
machine to configure it
• Wrong CF card inserted
BEIs type passwords to
initialize the machine – zero
votes
• Failure to accept password
• Failure of initialization
function
• Machine has stored ballot
images already
• Wrong program installed
• Paper jam
Voter fills up and feeds ballot
into the machine
Software and Data Integrity
5 MAJOR TECH ISSUES
Canvassing
• Signing/encryption/transmissi
on failure
• Failure to accept password
• Connectivity failure
BEIs digitally signs electronic
ER for transmission
BEI attaches external modem • Pre-marked legitimate
to access internet ballots might be fed
connection • Legitimate ballots
rejected
• Failure of function to close polls • Reading/scanning
( premarked ballots can still be ballots from another
inserted) precinct
• Misreading of ballots • Hardware/software
• Mis -crediting of marks failure
• Erroneous counting • No backup units
• Printer fails • Voter cannot verify if
ballot is read/scanned
correctly
BEIs close poll and print ER
 Highlights of Technical
Concerns
l Verifiability of Voter’
Voter’s Choice
l Machine Interpretation of Ballot
l Program Correctness
l Review of Source Code
l Program Integrity Verification
l Protection of Transmitted Data
l Digital Signatures
l System Administration
l Root Users / System Administrators

Voter’’s Choice Verifiability

Voter

“Provide the voter a system of verification to find out whether or

or
not the machine has registered his choice.”
choice. ”
[Article 7 (n) of RA 9369]
 Voter ’s Choice Verifiability
l No sufficient mechanism for voter’
voter’s choice
verifiability.

l Safeguard
l Comelec has to enable the feature of the SAES-
SAES-
1800 that will show how the PCOS machine
interpreted the ballot.

Program Correctness

RA 9369 requires Comelec to subject the

source code to review by all interested parties.
 Source Code
l Human readable version of the computer
programs running on the PCOS and BOC
computers.
l Will reveal whether the counting and canvassing
are done properly
l To prove that the PCOS and CCS programs
follow RA 9369 and COMELEC ToR

An illustration of Java source code with prologue comments indicated

in red, inline comments indicated in green, and program code
indicated in blue.
 Safeguard
Reviewed and
approved
source code

Machine
executable
format

Burned into
each PCOS
machine /
Install in CSS

Program Integrity Verifier

How can we know that the approved source

code is installed?
 Program Integrity Verification
l The hash (one line of numerical value)
verifies that the approved program is
installed in each PCOS machine / CCS
 Safeguard
l Comelec should subject the approved program
to a hash verifier function
l Provide the BEIs
BEIs,, political parties and poll
watchers the hash value
l On election day, the hash value of the
program installed in each PCOS machine
should be printed during the initialization
stage
l If the values are different from the hash
value of the approved program, the wrong
program was installed in the machine

Protection of Transmitted Data

Immutability of Precinct Data

 RA 9369
l Section 22 Electronic Returns: "The
(precinct) election returns (ER) transmitted
electronically and digitally signed shall be
considered as official election results and
shall be used as the basis for the
canvassing of votes and the proclamation
of a candidate."

Comelec Implementation
Guide: ToR/RfP AES2010

l 4. Counting, Consolidation and Generation of

ER

4.3 The BEI shall physically sign and affix their

thumbprints on all copies and on all pages of the
ER
4.5 The BEI shall digitally sign and encrypt the
internal copy of the ER
 Digital Signature / Secret Key
l A summary (hash value) of the ER encrypted
using the BEI
BEI’’s secret key.
l The digital signature serves two purposes:
l Identifies the BEI personnel who signed the
precinct ER
l It ensures that the precinct ER is not modified in
any way by dagdag
dagdag--bawas
 What Happens If Another
Person Knows the Teacher's
Secret Key?
l The other person, with malicious intent, can remove
the BEI's signature, change the contents of the ER,
and sign the modified ER (again) with the BEI's
secret key.
l Only the person who has possession of the BEI's
secret key can resign the ER.
l Any person who has possession of a majority of the
BEI's secret keys can control the results of election
2010
 Comelec's Error
l Bid Bulletin No. 10 (20090415):

The digital signature shall be assigned by the winning bidder

to all members of the BEI and the BOC (whether city,
municipal, provincial, district). For the NBOCs
NBOCs,, the
digital signatures shall be assigned to all members of
the Commission and to the Senate President and the
House Speaker. The digital signature shall be issued
by a certificate authority nominated by the winning
bidder and approved by the Comelec
Comelec..

SMARTMATIC WILL CREATE THE

PRIVATE-PUBLIC KEY PAIRS
l In Smartmatic's financial proposal, Item 1.2.1.4 consists
of 246,600 sets of 2048-
2048-bit
private public key pairs for BEIs (3 per PCOS)
at the cost of PHP0.00. The BEIs will be
anonymous (will not be known by name) so
that any teacher can sign in any BEI position.

l This can only mean that Smartmatic itself will

generate the key pairs, and so Smartmatic will
have all the private keys.
 Safeguards
l Comelec should ensure that the secret key of the
teacher is known only by the teacher
l The ER and digital signature (encrypted hash value)
should never be separated during transmission and
storage in the Comelec databases.

System Administration

He Who Controls Technology,

Controls the Votes
 System Administration
l The root user/system administrator or “ super
user””
user
l A human who can issue any command available on
the computer, normally to do system maintenance
or to recover from failure.
l The root user can edit the precinct ERs if he has
access to secret keys and change the election
results.

Safeguards
l Comelec should have enough precautions so
that a root user is not needed to manually
interfere with the election programs
l In case of a breakdown, the root user’
user’s activities
are all properly logged in publicly displayed audit
and log files in real time to be scrutinized by poll
watchers.
l The root user must not be allowed to log-log-in from
remote / different location
 What will happen if issues are not
addressed?
l Unless these issues are addressed
satisfactorily by Comelec
Comelec,, Smartmatic
Smartmatic,, the
Comelec Advisory Council (CAC), the
Comelec Technical Evaluation Committee
(TEC), and the Joint Congressional
Oversight Committee, the computerized
elections in 2010 can lead to computerized
cheating or failure of elections.

HOW YOU CAN HELP

 Area Tasks
Source Code Review System Administration, Keys and
Cryptography, Data Communications
and Processing, Event Handling
IT Research Related Literature and Technology
Geographical Info Research
System Encode
Website Development Content management
Media and Publicity Multimedia content production and
design
Administrative Transcription

Contact Information
l Project Office
l AES Policy Research Office, 3rd Flr
Flr.. (UP Law Library), UP
College of Law (Malcolm Hall)
l Contact No: 029299526 / 09064924266
l Email: info@aes2010.net
l AES Website: http://www.aes2010.net
l CenPEG:: http://
CenPEG http://www.cenpeg.org
www.cenpeg.org
 CenPEG

BOARD OF DIRECTORS: Dr. Bienvenido Lumbera, Chair; Dr. Temario Rivera, Vice-Chair; Prof. Luis V. Teodoro; Dr. Eleanor Jara;
Bishop Gabriel Garol; Atty. Cleto Villacorta; Ms. Evi-Ta Jimenez; Dr. Edgardo Clemente; Prof. Roland Simbulan; Prof. Bobby Tuazon; Dr. Felix Muga II
3/F, College of Social Work and Community Development Bldg., University of the Philippines, Diliman, Quezon City, Philippines
Telefax: +632-9299526 email: cenpeg@cenpeg.org; cenpeg.info@gmail.com website: http://www.cenpeg.org
 BRIEFING
Philippine Automated Election
System (AES) 2010
Modernizing Democracy
or Modernizing Cheating?

Center for People Empowerment in Governance

(www.cenpeg.org)

Automated Election System

(AES) 2010 Policy Study (www.aes2010.net)
(A Project in Election Reform)

Office of the Dean, UP College of Law

 4–5–6
Major Issues in the Automated Election System (AES)
• Undue delegation of legislative power
• 4 major • Foreign ownership / control
legal • Generally, intolerable technical flaws
issues • Violation of statutory provisions

• Source code (PCOS & CCS integrity)

• 5 major • Program integrity verification
• Voter’s choice verifiability
technical • Protection of transmitted data – digital signature
issues • Root user / system administrator

• Choice of technology
• 6 major • Competence (Comelec & CAC)
mgt • Procurement / bidding
issues • Geographic Information System (GIS)
• IRR & adjudication process
• Comelec’s constitutional mandate
IS COMELEC READY
for AES2010?
MANAGEMENT ISSUES

August 13, 2009

 THIS PRESENTATION
• Choice of technology
• Management competence
• Procurement/bidding
• Geographic Information System (GIS)
• IRR & adjudication process
• Comelec’s constitutional mandate

• Note: Comelec’s AES is the single, biggest fully-automated

election project worldwide.
 1. Choice of technology
• Failure to consult the Filipino IT
community
• Need to revisit RA 9369 (Sec.
37: as “technology evolves” and
“suitable to local conditions”)
• PCOS-OMR system: does not
enhance “secret voting, public
counting” (transparency); limits
voter’s rights
SAES 1800 • Smartmatic-TIM’s P7.2-billion
technology is cheap but sub-
standard
• Automate only the correct and
tested process
 2. Management competence
• Automated election = clean
election, is an illusion
• Going “full-blast” instead of by
phases (RA 9369 provides for
pilot testing)
• Full automation without
addressing systemic fraud
• Priority of speed – over
promoting voter’s rights
• Heavy reliance on foreign
expertise and technology
(outsourcing): Outsource only a
system that you know about
 Management competence
• Comelec lacks IT and infrastructure competence
(CAC report, October 2008)
• Comelec Advisory Council (CAC) lacks
independence and competence
• Senate: Comelec/SBAC lack “diligent scrutiny”
• Tendency to short cut election preparations (e.g.,
in the Comelec calendar there is no schedule of
source code review; disregard for safeguards &
security measures)
• Flawed or inadequate continuity and contingency
plans (also observed in a Senate committee
hearing)
 3. Procurement / bidding
AES
study/
CenPEG
photos

• Legal questions (e.g., papers of incorporation; 60-40 sharing;

was there a NEDA review?)
• Accounts about bending of rules to favor Smartmatic-TIM
consortium
• Are Smartmatic-TIM “politically neutral” (Comelec bid rule)
• Demonstration tests inadequate; controlled environment;
only hardware & external features shown (not the more
crucial internal features such as software). Claim of
“transparency” is superficial.
4. Geographic Information
System (GIS)
• Comelec has no functional GIS for
AES’ 80,000 PCOS machines,
1,800 CCS machines
• In the 2008 ARMM automated
polls (Comelec’s “pilot test”):
Technical, manpower and
environmental problems
• NEDA 2007 report: government IT
infrastructure 90% failure; most
public websites can be hacked -
NCC
• Contingency plans, safeguards &
security measures for GIS-related
vulnerabilities are imperative
5. Lack of IRRs & adjudication
process
• Since RA 9369 became a law (January
2007), there is no IRR
• Either the law is unclear or Comelec
has no measures with regard to AES-
generated election protests
(adjudication process)
 6. Comelec constitutional
mandate
Has Comelec abdicated its constitutional
mandate to manage & administer the
elections?
• 90% of election administration is entrusted
to Smartmatic-TIM
• Comelec: “Trust the machines”; “It’s up to
Smartmatic-TIM”
• To critics of AES: “fear mongering”;
promoters of “No-El”; “Trust the Comelec”
• Commission of Smartmatic-TIM?
 CONCLUSION: Some questions
• Is the AES system really a “Dream Poll”? Or is it designed to
fail?
• Given the inadequate preparations and the fluid political
situation, will there be a failure of election in May 2010?

• Sen. Dick Gordon: “If this automation will just be worse than
the manual, then I will not support it, even if I authored the
law.”
• Senate President Juan Ponce Enrile: “Failure of election will
spark a revolution!”

AES study/
CenPEG photo
• Trust is built over time.
• To trust the machine, know how it
operates.
• Who controls the technology,
controls the votes.
- END -
Mr. Manuel Alcuaz’s Reactions

COMELEC
SMARTMATIC
PAYMENT TERMS
DISHONEST?
CRIMINANL?
FOOLISH?

1
RFP WAS 56
PAGES LONG
BUT HAD NO
TERMS OF
PAYMENT!

2
 P 1, 795 Billion
Payment Innovations
__________________________________
• Project Initialization, Setup Project Management 10%
Team (PMT) and Project Systems including all SW
licenses and firmware
• Delivery of Development Set (20 Units) 5%
• Report on Transmission and Logistics 5%
• Delivery of Functional System and Software 5%
Agreement
_______________________________________________

3
NOT in RFP!
NOT in
Smartmatic
Financial
Proposal

4
 PROJECT INITIALIZATION, SETUP PROJECT
MANAGEMENT TEAM (PMT) AND PROJECT
SYSTEMS INCLUDING ALL SW LICENSES
AND FIRMWARE 10%
_______________________________________________________________________

Payment Term Financial Proposal

_______________________________________________________________
Components
Project Management

P 719 P 99,999,999.00
PCOS Application
P20,786,802.18!

million BMS Application

P21,223,021.07
________________________________________________________________________

How can setting up be many times more than doing the job?

5
 DELIVERY OF DEVELOPMENT SET
(20 UNITS)
_______________________________________________
Payment Term Financial Proposal
_______________________________________________________________
Actual cost

P 359 P45,419 x 20
Million =P 908, 380
Nearly P18
Million per
unit
________________________________________________________________________

6
 REPORT ON TRANSMISSION AND LOGISTICS
_______________________________________________

Payment Term Financial Proposal

_______________________________________________________________
Provision for Electronic
P 359 Transmission P200
Million Report million (P 199,999,997.51)
Total warehousing,
(written on deployment and pull out,
gold paper?) P916,581,355.
______________________________________________________________________

How can a report be 30% of the actual services?

This will make the Guinness Book of Records!

7
Delivery of Functional System and Software Agreement
_______________________________________________

Payment Term Financial Proposal

________________________________________________________
Analysis and Design for
P 359 EMS and PCOS and CCS all
P0.00
Tools and Programs for
Million EMS, PCOS, and CCS all
P0.00
______________________________________________________________________
Section 7.3 p 30 of RFP states “The ownership of
the Analysis, Design, and executable programs of
all the application develop should be given to
COMELEC at no additional cost”
What is COMELEC paying for?!