This action might not be possible to undo. Are you sure you want to continue?
Does automation = clean elections?
Possible Problems: Preliminary Results Technical Briefing
What is the AES?
“A system using appropriate technology which has been demonstrated in the voting, counting, consolidating, canvassing, and transmission of election result, and other electoral process” process”
Public perception of the AES
It would lead to clean elections l Cheating would be impossible in an automated election
Election Management System (EMS)
Configuration of precinct data l Election Mark– Up Language (EML) Mark–
Precinct– Precinct–Count Optical Scan (PCOS) System
Precinct Machine BOC Computer
Consolidation / Canvassing System (CCS)
SMARTMATIC AUTOMATED ELECTION SYSTEM (SAES 1800)
Count Optical Scan / Optical Mark Reader (OMR)
the absence or presence of a mark in predefined positions on a form
SAES 1800 Components
RF Key Thermal Printer •2-1/4 inch roll paper •Rated to last 5 years Digital Scanner •4-bit mono – color scanner •16 shades of gray Processor And Memory Not Specified Compact Flash (CF) Card Input / Output Ports •CF Card Reader •UTP Ethernet Port •Disabled USB •RJ – 11 Modem Port
Ballot Box Cast and Return •Buttons Disabled
Display • Touch screen, mono-color display •Quarter VGA in size, 320x240 pixels
Ballot Boxes with Transparent Panels
Compartments the Ballot Box
Software Specifications: Operating System
Embedded uClinux l Possibly with uClibC l Possibly with GNU core utilities l Copyrighted under the General Public License (GPL) open source licensing scheme
Voting Flow using PCOS - OMR
BEI inserts physical key into PCOS machine to power it BEI inserts CF card into PCOS machine to configure it BEIs type passwords to initialize the machine – zero votes Voter fills up and feeds ballot into the machine Canvassing BEIs digitally signs electronic ER which gets transmitted to municipal, provincial and national servers BEI attaches external modem to access internet connection BEIs close poll and print ER 5 E
Configuring the Machine
CF Card Smartmatic Inserting the Card
Initialization Initialization Report
Sample Ballot Feeding the Ballot into the Machine
Election Return and Transmission of Votes
ER Certification External Modem
Consolidation Canvassing System (CCS) – Real -Time Electoral Information System (REIS)
Operating System: GNU/Linux l Software possibly written in web server side programming language (e.g. JAVA)
Input: ERs from precincts Input: Statement of Votes and Certificate of Canvass from Cities/Municipalities Congress: President and Vice President contests Comelec: Comelec : Senators and Party List contests Input: Statement of Votes
l l l
PCOS Machine (counting) – SAES 1800
CCS Server (canvassing) REIS
PrePre- election * Election * Canvassing * Proclamation
6 Vulnerabilities On Voting Day
BEI inserts physical key into PCOS machine to power it
• Hardware Failure: Start up or boot failure
• Signing/encryption/transmissi on failure • Failure to accept password • Connectivity failure
BEI inserts CF card into PCOS machine to configure it
• Wrong CF card inserted
BEIs digitally signs electronic ER for transmission BEI attaches external modem to access internet connection
• Failure of function to close polls ( premarked ballots can still be inserted) • Misreading of ballots • Mis -crediting of marks • Erroneous counting • Printer fails
BEIs type passwords to initialize the machine – zero votes
• Failure to accept password • Failure of initialization function • Machine has stored ballot images already • Wrong program installed • Paper jam
• Pre-marked legitimate ballots might be fed • Legitimate ballots rejected • Reading/scanning ballots from another precinct • Hardware/software failure • No backup units • Voter cannot verify if ballot is read/scanned correctly
Voter fills up and feeds ballot into the machine
BEIs close poll and print ER
Software and Data Integrity
5 MAJOR TECH ISSUES
Highlights of Technical Concerns
Verifiability of Voter’s Choice Voter’
Machine Interpretation of Ballot Review of Source Code
Program Integrity Verification Protection of Transmitted Data
Digital Signatures Root Users / System Administrators
Voter’ Voter’s Choice Verifiability
“Provide the voter a system of verification to find out whether or or not the machine has registered his choice. ” choice.” [Article 7 (n) of RA 9369]
Voter ’s Choice Verifiability
No sufficient mechanism for voter’s choice voter’ verifiability. Safeguard
Comelec has to enable the feature of the SAESSAES1800 that will show how the PCOS machine interpreted the ballot.
RA 9369 requires Comelec to subject the source code to review by all interested parties.
Human readable version of the computer programs running on the PCOS and BOC computers. Will reveal whether the counting and canvassing are done properly To prove that the PCOS and CCS programs follow RA 9369 and COMELEC ToR
An illustration of Java source code with prologue comments indicated in red, inline comments indicated in green, and program code indicated in blue.
Reviewed and approved source code Machine executable format Burned into each PCOS machine / Install in CSS
Program Integrity Verifier
How can we know that the approved source code is installed?
Program Integrity Verification
The hash (one line of numerical value) verifies that the approved program is installed in each PCOS machine / CCS
Comelec should subject the approved program to a hash verifier function
Provide the BEIs, political parties and poll BEIs, watchers the hash value l On election day, the hash value of the program installed in each PCOS machine should be printed during the initialization stage l If the values are different from the hash value of the approved program, the wrong program was installed in the machine
Protection of Transmitted Data
Immutability of Precinct Data
Section 22 Electronic Returns: "The (precinct) election returns (ER) transmitted electronically and digitally signed shall be considered as official election results and shall be used as the basis for the canvassing of votes and the proclamation of a candidate."
Comelec Implementation Guide: ToR/RfP AES2010
4. Counting, Consolidation and Generation of ER 4.3 The BEI shall physically sign and affix their thumbprints on all copies and on all pages of the ER 4.5 The BEI shall digitally sign and encrypt the internal copy of the ER
Digital Signature / Secret Key
A summary (hash value) of the ER encrypted using the BEI ’s secret key. BEI’ The digital signature serves two purposes:
Identifies the BEI personnel who signed the precinct ER It ensures that the precinct ER is not modified in any way by dagdag-bawas dagdag-
What Happens If Another Person Knows the Teacher's Secret Key?
The other person, with malicious intent, can remove the BEI's signature, change the contents of the ER, and sign the modified ER (again) with the BEI's secret key. Only the person who has possession of the BEI's secret key can resign the ER. Any person who has possession of a majority of the BEI's secret keys can control the results of election 2010
Bid Bulletin No. 10 (20090415): The digital signature shall be assigned by the winning bidder to all members of the BEI and the BOC (whether city, municipal, provincial, district). For the NBOCs, the NBOCs, digital signatures shall be assigned to all members of the Commission and to the Senate President and the House Speaker. The digital signature shall be issued by a certificate authority nominated by the winning bidder and approved by the Comelec . Comelec.
SMARTMATIC WILL CREATE THE PRIVATE-PUBLIC KEY PAIRS
In Smartmatic's financial proposal, Item 126.96.36.199 consists of 246,600 sets of 2048-bit 2048private public key pairs for BEIs (3 per PCOS) at the cost of PHP0.00. The BEIs will be anonymous (will not be known by name) so that any teacher can sign in any BEI position. This can only mean that Smartmatic itself will generate the key pairs, and so Smartmatic will have all the private keys.
Comelec should ensure that the secret key of the teacher is known only by the teacher The ER and digital signature (encrypted hash value) should never be separated during transmission and storage in the Comelec databases.
He Who Controls Technology, Controls the Votes
The root user/system administrator or “ super user” user”
A human who can issue any command available on the computer, normally to do system maintenance or to recover from failure.
The root user can edit the precinct ERs if he has access to secret keys and change the election results.
Comelec should have enough precautions so that a root user is not needed to manually interfere with the election programs In case of a breakdown, the root user’s activities user’ are all properly logged in publicly displayed audit and log files in real time to be scrutinized by poll watchers. The root user must not be allowed to log-in from logremote / different location
What will happen if issues are not addressed?
Unless these issues are addressed satisfactorily by Comelec, Smartmatic, the Comelec, Smartmatic, Comelec Advisory Council (CAC), the Comelec Technical Evaluation Committee (TEC), and the Joint Congressional Oversight Committee, the computerized elections in 2010 can lead to computerized cheating or failure of elections.
HOW YOU CAN HELP
Source Code Review System Administration, Keys and
IT Research Geographical Info System Website Development Media and Publicity Administrative
Cryptography, Data Communications and Processing, Event Handling Related Literature and Technology Research Encode Content management Multimedia content production and design Transcription
AES Policy Research Office, 3rd Flr . (UP Law Library), UP Flr. College of Law (Malcolm Hall)
l l l l
Contact No: 029299526 / 09064924266 Email: email@example.com AES Website: http://www.aes2010.net CenPEG: http://www.cenpeg.org CenPEG: http:// www.cenpeg.org
BOARD OF DIRECTORS: Dr. Bienvenido Lumbera, Chair; Dr. Temario Rivera, Vice-Chair; Prof. Luis V. Teodoro; Dr. Eleanor Jara; Bishop Gabriel Garol; Atty. Cleto Villacorta; Ms. Evi-Ta Jimenez; Dr. Edgardo Clemente; Prof. Roland Simbulan; Prof. Bobby Tuazon; Dr. Felix Muga II
3/F, College of Social Work and Community Development Bldg., University of the Philippines, Diliman, Quezon City, Philippines Telefax: +632-9299526 email: firstname.lastname@example.org; email@example.com website: http://www.cenpeg.org
BRIEFING Philippine Automated Election System (AES) 2010
Modernizing Democracy or Modernizing Cheating?
Center for People Empowerment in Governance (www.cenpeg.org) Automated Election System (AES) 2010 Policy Study (www.aes2010.net)
(A Project in Election Reform) Office of the Dean, UP College of Law
Major Issues in the Automated Election System (AES)
• 4 major legal issues • 5 major technical issues • 6 major mgt issues
• • • • • • • • • • • • • • •
Undue delegation of legislative power Foreign ownership / control Generally, intolerable technical flaws Violation of statutory provisions Source code (PCOS & CCS integrity) Program integrity verification Voter’s choice verifiability Protection of transmitted data – digital signature Root user / system administrator Choice of technology Competence (Comelec & CAC) Procurement / bidding Geographic Information System (GIS) IRR & adjudication process Comelec’s constitutional mandate
IS COMELEC READY for AES2010?
August 13, 2009
• • • • • •
Choice of technology Management competence Procurement/bidding Geographic Information System (GIS) IRR & adjudication process Comelec’s constitutional mandate
Note: Comelec’s AES is the single, biggest fully-automated election project worldwide.
1. Choice of technology
• Failure to consult the Filipino IT community • Need to revisit RA 9369 (Sec. 37: as “technology evolves” and “suitable to local conditions”) • PCOS-OMR system: does not enhance “secret voting, public counting” (transparency); limits voter’s rights • Smartmatic-TIM’s P7.2-billion technology is cheap but substandard • Automate only the correct and tested process
2. Management competence
• Automated election = clean election, is an illusion • Going “full-blast” instead of by phases (RA 9369 provides for pilot testing) • Full automation without addressing systemic fraud • Priority of speed – over promoting voter’s rights • Heavy reliance on foreign expertise and technology (outsourcing): Outsource only a system that you know about
• Comelec lacks IT and infrastructure competence (CAC report, October 2008) • Comelec Advisory Council (CAC) lacks independence and competence • Senate: Comelec/SBAC lack “diligent scrutiny” • Tendency to short cut election preparations (e.g., in the Comelec calendar there is no schedule of source code review; disregard for safeguards & security measures) • Flawed or inadequate continuity and contingency plans (also observed in a Senate committee hearing)
3. Procurement / bidding
AES study/ CenPEG photos
• • • •
Legal questions (e.g., papers of incorporation; 60-40 sharing; was there a NEDA review?) Accounts about bending of rules to favor Smartmatic-TIM consortium Are Smartmatic-TIM “politically neutral” (Comelec bid rule) Demonstration tests inadequate; controlled environment; only hardware & external features shown (not the more crucial internal features such as software). Claim of “transparency” is superficial.
4. Geographic Information System (GIS)
• Comelec has no functional GIS for AES’ 80,000 PCOS machines, 1,800 CCS machines In the 2008 ARMM automated polls (Comelec’s “pilot test”): Technical, manpower and environmental problems NEDA 2007 report: government IT infrastructure 90% failure; most public websites can be hacked NCC Contingency plans, safeguards & security measures for GIS-related vulnerabilities are imperative
5. Lack of IRRs & adjudication process
• Since RA 9369 became a law (January 2007), there is no IRR • Either the law is unclear or Comelec has no measures with regard to AESgenerated election protests (adjudication process)
6. Comelec constitutional mandate
Has Comelec abdicated its constitutional mandate to manage & administer the elections? 90% of election administration is entrusted to Smartmatic-TIM Comelec: “Trust the machines”; “It’s up to Smartmatic-TIM” To critics of AES: “fear mongering”; promoters of “No-El”; “Trust the Comelec” Commission of Smartmatic-TIM?
• • • •
CONCLUSION: Some questions
• • • • Is the AES system really a “Dream Poll”? Or is it designed to fail? Given the inadequate preparations and the fluid political situation, will there be a failure of election in May 2010? Sen. Dick Gordon: “If this automation will just be worse than the manual, then I will not support it, even if I authored the law.” Senate President Juan Ponce Enrile: “Failure of election will spark a revolution!”
AES study/ CenPEG photo
• Trust is built over time. • To trust the machine, know how it operates. • Who controls the technology, controls the votes.
- END -
Mr. Manuel Alcuaz’s Reactions
COMELEC SMARTMATIC PAYMENT TERMS DISHONEST? CRIMINANL? FOOLISH?
RFP WAS 56 PAGES LONG BUT HAD NO TERMS OF PAYMENT!
P 1, 795 Billion Payment Innovations __________________________________
• Project Initialization, Setup Project Management 10% Team (PMT) and Project Systems including all SW licenses and firmware • Delivery of Development Set (20 Units) 5% • Report on Transmission and Logistics 5% • Delivery of Functional System and Software 5% Agreement _______________________________________________
NOT in RFP! NOT in Smartmatic Financial Proposal
PROJECT INITIALIZATION, SETUP PROJECT MANAGEMENT TEAM (PMT) AND PROJECT SYSTEMS INCLUDING ALL SW LICENSES AND FIRMWARE 10% _______________________________________________________________________
Payment Term Financial Proposal _______________________________________________________________ Components Project Management P 99,999,999.00 PCOS Application P20,786,802.18! BMS Application P21,223,021.07
P 719 million
How can setting up be many times more than doing the job?
DELIVERY OF DEVELOPMENT SET (20 UNITS) _______________________________________________
Payment Term Financial Proposal _______________________________________________________________ Actual cost
P45,419 x 20
=P 908, 380 Million Nearly P18 Million per unit ________________________________________________________________________
REPORT ON TRANSMISSION AND LOGISTICS _______________________________________________
Payment Term Financial Proposal _______________________________________________________________ Provision for Electronic Transmission P200 million (P 199,999,997.51) Total warehousing, deployment and pull out,
Million Report (written on gold paper?)
How can a report be 30% of the actual services? This will make the Guinness Book of Records!
Delivery of Functional System and Software Agreement _______________________________________________
Payment Term Financial Proposal ________________________________________________________ Analysis and Design for EMS and PCOS and CCS all P0.00 Tools and Programs for EMS, PCOS, and CCS all P0.00
P 359 Million
Section 7.3 p 30 of RFP states “The ownership of the Analysis, Design, and executable programs of all the application develop should be given to COMELEC at no additional cost” What is COMELEC paying for?!
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.