AAutomated utomated EElection lection SSystemystemDoes automation = clean elections?Does automation = clean elections?

Possible Problems: Preliminary ResultsPossible Problems: Preliminary ResultsTechnical BriefingTechnical Briefing

What is the AES?What is the AES?

ll ““A system using appropriate A system using appropriate technologytechnologywhich has been demonstrated in the which has been demonstrated in the voting, counting, consolidating, voting, counting, consolidating, canvassing, canvassing, andand transmissiontransmission of election of election result, and other electoral processresult, and other electoral process””

Public perception of the AESPublic perception of the AES

ll It would lead to clean electionsIt would lead to clean electionsll Cheating would be impossible in an Cheating would be impossible in an

automated electionautomated election

AES SystemAES System

ll Election Management System (EMS)Election Management System (EMS)ll Configuration of precinct dataConfiguration of precinct datall Election MarkElection Mark––Up Language (EML)Up Language (EML)

ll PrecinctPrecinct––Count Optical Scan (PCOS) Count Optical Scan (PCOS) SystemSystemll Precinct MachinePrecinct Machine

ll Consolidation / Canvassing System (CCS)Consolidation / Canvassing System (CCS)ll BOC ComputerBOC Computer

SMARTMATIC AUTOMATED SMARTMATIC AUTOMATED ELECTION SYSTEM (SAES ELECTION SYSTEM (SAES

1800)1800)

PCOS MachinePCOS Machine

SAES SAES 18001800

llPrecinct Count Precinct Count Optical Scan / Optical Scan / Optical Mark Optical Mark Reader (OMR)Reader (OMR)

••Detects the Detects the absence or absence or presence of a presence of a mark in mark in predefined predefined positions on a positions on a formform

SAES 1800 ComponentsSAES 1800 Components

Thermal Printer•2-1/4 inch roll paper•Rated to last 5 years

Input / Output Ports•CF Card Reader•UTP Ethernet Port•Disabled USB•RJ – 11 Modem Port

Digital Scanner•4-bit mono –color scanner•16 shades of gray

Display• Touch screen, mono-color display•Quarter VGA in size, 320x240 pixels

Ballot Box

Cast and Return•Buttons Disabled

RF Key

ProcessorAnd MemoryNot Specified

Compact Flash (CF)Card

Ballot Boxes with Ballot Boxes with Transparent PanelsTransparent Panels

Compartments in Compartments in the Ballot Boxthe Ballot Box

Transparent Panels Invalid Ballots Valid Ballots

Software Specifications: Operating Software Specifications: Operating SystemSystem

ll Embedded Embedded uClinuxuClinuxll Possibly with Possibly with uClibCuClibCll Possibly with GNU core utilitiesPossibly with GNU core utilitiesll Copyrighted under the General Public Copyrighted under the General Public

License (GPL) open source licensing License (GPL) open source licensing schemescheme

Voting Flow using PCOS Voting Flow using PCOS -- OMROMRBEI inserts physical key into PCOS machine to power it

BEI inserts CF card into PCOS machine to configure it

BEIs type passwords to initialize the machine – zero

votes

Voter fills up and feeds ballot into the machine

BEIs close poll and print ER

BEI attaches external modem to access internet

connection

BEIs digitally signs electronic ER which gets transmitted to

municipal, provincial and national servers

Canvassing

2

3

4 5

E

Configuring the MachineConfiguring the Machine

CF CardCF CardSmartmaticSmartmatic

Inserting the CardInserting the Card

B

InitializationInitialization

InitializationInitialization Initialization ReportInitialization Report

B

VotingVoting

Sample BallotSample BallotFeeding the Ballot Feeding the Ballot into the Machineinto the Machine

B

VotingVoting

B

Election ReturnElection Returnand Transmission of Votesand Transmission of Votes

ER CertificationER Certification External ModemExternal Modem

B

CANVASSING LEVELSCANVASSING LEVELSData FlowsData Flows

Consolidation Canvassing Consolidation Canvassing System (CCS) System (CCS) –– RealReal--Time Time

Electoral Information System Electoral Information System (REIS)(REIS)

ll Operating System: GNU/LinuxOperating System: GNU/Linuxll Software possibly written in web server Software possibly written in web server

side programming language (e.g. JAVA)side programming language (e.g. JAVA)

ll Cities/Municipal Cities/Municipal ll Input: ERs from precinctsInput: ERs from precincts

ll Provincial/CongressionalProvincial/Congressionalll Input: Statement of Votes and Certificate of Input: Statement of Votes and Certificate of

Canvass from Cities/MunicipalitiesCanvass from Cities/Municipalitiesll NationalNationalll Congress: President and Vice President contestsCongress: President and Vice President contestsll ComelecComelec: Senators and Party List contests: Senators and Party List contestsll Input: Statement of VotesInput: Statement of Votes

PCOS Machine (counting) PCOS Machine (counting) ––

SAES 1800SAES 1800

CCS Server (canvassing) CCS Server (canvassing) --REISREIS

30 VULNERABILITIES30 VULNERABILITIESPrePre--election * Election * Canvassing * Proclamationelection * Election * Canvassing * Proclamation

6 Vulnerabilities On Voting Day6 Vulnerabilities On Voting Day

• Hardware Failure: Start up or boot failure

• Pre-marked legitimate ballots might be fed

• Legitimate ballots rejected

• Reading/scanning ballots from another precinct

• Hardware/software failure

• No backup units• Voter cannot verify if

ballot is read/scanned correctly

• Failure to accept password

• Wrong CF card inserted

• Failure of initialization function

• Machine has stored ballot images already

• Wrong program installed• Paper jam

• Failure of function to close polls (premarked ballots can still be inserted)

• Misreading of ballots• Mis -crediting of marks• Erroneous counting• Printer fails

• Signing/encryption/transmission failure

• Failure to accept password• Connectivity failure

BEI inserts physical key into PCOS machine to power it

BEI inserts CF card into PCOS machine to configure it

BEIs type passwords to initialize the machine – zero

votes

Voter fills up and feeds ballot into the machine

BEIs close poll and print ER

BEI attaches external modem to access internet

connection

BEIs digitally signs electronic ER for transmission

Canvassing

5 MAJOR TECH ISSUES5 MAJOR TECH ISSUESSoftware and Data IntegritySoftware and Data Integrity

Highlights of Technical Highlights of Technical ConcernsConcerns

ll Verifiability of VoterVerifiability of Voter’’s Choices Choicell Machine Interpretation of BallotMachine Interpretation of Ballot

ll Program CorrectnessProgram Correctnessll Review of Source CodeReview of Source Code

ll Program Integrity VerificationProgram Integrity Verificationll Protection of Transmitted DataProtection of Transmitted Datall Digital SignaturesDigital Signatures

ll System AdministrationSystem Administrationll Root Users / System AdministratorsRoot Users / System Administrators

VoterVoter’’s Choice Verifiabilitys Choice Verifiability

““Provide the voter a system of verification to find out whether oProvide the voter a system of verification to find out whether or r not the machine has registered his choice.not the machine has registered his choice.””

[Article 7 (n) of RA 9369][Article 7 (n) of RA 9369]

VoterVoter’’s Choice Verifiabilitys Choice Verifiability

ll No sufficient mechanism for voterNo sufficient mechanism for voter’’s choice s choice verifiability. verifiability.

ll SafeguardSafeguardll ComelecComelec has to enable the feature of the SAEShas to enable the feature of the SAES--

1800 that will show how the PCOS machine 1800 that will show how the PCOS machine interpreted the ballot. interpreted the ballot.

Program CorrectnessProgram Correctness

RA 9369 requires RA 9369 requires ComelecComelec to subject the to subject the source code to review by all interested parties.source code to review by all interested parties.

Source CodeSource Code

ll Human readable version of the computer Human readable version of the computer programs running on the PCOS and BOC programs running on the PCOS and BOC computers.computers.

ll Will reveal whether the counting and canvassing Will reveal whether the counting and canvassing are done properlyare done properly

ll To prove that the PCOS and CCS programs To prove that the PCOS and CCS programs follow RA 9369 and COMELEC follow RA 9369 and COMELEC ToRToR

An illustration of Java source code with prologue comments indicated in red, inline comments indicated in green, and program code

indicated in blue.

Reviewed and approved

source code

Machine executable

format

Burned into each PCOS machine /

Install in CSS

SafeguardSafeguard

Program Integrity VerifierProgram Integrity Verifier

How can we know that the approved source How can we know that the approved source code is installed?code is installed?

Program Integrity VerificationProgram Integrity Verification

ll The hash (one line of numerical value) The hash (one line of numerical value) verifies that the approved program is verifies that the approved program is installed in each PCOS machine / CCS installed in each PCOS machine / CCS

SafeguardSafeguardll ComelecComelec should subject the approved program should subject the approved program

to a hash verifier functionto a hash verifier functionll Provide the Provide the BEIsBEIs, political parties and poll , political parties and poll

watchers the hash valuewatchers the hash valuell On election day, the hash value of the On election day, the hash value of the

program installed in each PCOS machine program installed in each PCOS machine should be printed during the initialization should be printed during the initialization stagestage

ll If the values are different from the hash If the values are different from the hash value of the approved program, the wrong value of the approved program, the wrong program was installed in the machineprogram was installed in the machine

Protection of Transmitted DataProtection of Transmitted Data

Immutability of Precinct DataImmutability of Precinct Data

RA 9369RA 9369

ll Section 22 Electronic Returns: "The Section 22 Electronic Returns: "The (precinct) election returns (ER) transmitted (precinct) election returns (ER) transmitted electronically and electronically and digitally signeddigitally signed shall be shall be considered as official election results and considered as official election results and shall be used as the basis for the shall be used as the basis for the canvassing of votes and the proclamation canvassing of votes and the proclamation of a candidate."of a candidate."

ComelecComelec ImplementationImplementationGuide: Guide: ToR/RfPToR/RfP AES2010AES2010

ll 4. Counting, Consolidation and Generation of 4. Counting, Consolidation and Generation of ERER

4.3 The BEI shall physically sign and affix their4.3 The BEI shall physically sign and affix theirthumbprints on all copies and on all pages of the thumbprints on all copies and on all pages of the ERER4.5 The 4.5 The BEI shall digitally signBEI shall digitally sign and encrypt theand encrypt theinternal copy of the ERinternal copy of the ER

Digital Signature / Secret KeyDigital Signature / Secret Key

ll A summary (hash value) of the ER encrypted A summary (hash value) of the ER encrypted using the using the BEIBEI’’ss secret key. secret key.

ll The digital signature serves two purposes: The digital signature serves two purposes: ll Identifies the BEI personnel who signed the Identifies the BEI personnel who signed the

precinct ER precinct ER ll It ensures that the precinct ER is not modified in It ensures that the precinct ER is not modified in

any way by any way by dagdagdagdag--bawasbawas

What Happens If AnotherWhat Happens If AnotherPerson Knows the Teacher'sPerson Knows the Teacher's

Secret Key?Secret Key?ll The other person, with malicious intent, can removeThe other person, with malicious intent, can remove

the the BEI'sBEI's signature, change the contents of the ER,signature, change the contents of the ER,and sign the modified ER (again) with the and sign the modified ER (again) with the BEI'sBEI'ssecret key.secret key.

ll Only the person who has possession of the Only the person who has possession of the BEI'sBEI'ssecret key can resign the ER.secret key can resign the ER.

ll Any person who has possession of a majority of theAny person who has possession of a majority of theBEI'sBEI's secret keys can control the results of electionsecret keys can control the results of election20102010

Comelec'sComelec's ErrorError

ll Bid Bulletin No. 10 (20090415):Bid Bulletin No. 10 (20090415):

The digital signature shall be The digital signature shall be assigned by the winning bidder assigned by the winning bidder to all members of the BEI and the BOCto all members of the BEI and the BOC (whether city, (whether city, municipal, provincial, district). For the municipal, provincial, district). For the NBOCsNBOCs, the, thedigital signatures shall be assigned to all members ofdigital signatures shall be assigned to all members ofthe Commission and to the Senate President and thethe Commission and to the Senate President and theHouse Speaker. The digital signature shall be issuedHouse Speaker. The digital signature shall be issuedby a certificate authority nominated by the winningby a certificate authority nominated by the winningbidder and approved by the bidder and approved by the ComelecComelec..

SMARTMATIC WILL CREATE THESMARTMATIC WILL CREATE THEPRIVATEPRIVATE--PUBLIC KEY PAIRSPUBLIC KEY PAIRS

ll In In Smartmatic'sSmartmatic's financial proposal, Item 1.2.1.4 consists financial proposal, Item 1.2.1.4 consists of 246,600 sets of 2048of 246,600 sets of 2048--bitbitprivate public key pairs for private public key pairs for BEIsBEIs (3 per PCOS)(3 per PCOS)at the cost of PHP0.00. The at the cost of PHP0.00. The BEIsBEIs will bewill beanonymous (will not be known by name) soanonymous (will not be known by name) sothat any teacher can sign in any BEI position.that any teacher can sign in any BEI position.

ll This can only mean that This can only mean that SmartmaticSmartmatic itself willitself willgenerate the key pairs, and so generate the key pairs, and so SmartmaticSmartmatic willwillhave all the private keys.have all the private keys.

SafeguardsSafeguards

ll ComelecComelec should ensure that the secret key of the should ensure that the secret key of the teacher is teacher is known only by the teacherknown only by the teacher

ll The ER and digital signature (encrypted hash value) The ER and digital signature (encrypted hash value) should never be separated during transmission and should never be separated during transmission and storage in the storage in the ComelecComelec databases.databases.

System AdministrationSystem Administration

He Who Controls Technology, He Who Controls Technology,

Controls the VotesControls the Votes

System AdministrationSystem Administration

ll The root user/system administrator or The root user/system administrator or ““super super useruser””ll A human who can issue any command available on A human who can issue any command available on

the computer, normally to do system maintenance the computer, normally to do system maintenance or to recover from failure. or to recover from failure.

ll The root user can edit the precinct ERs if he has The root user can edit the precinct ERs if he has access to secret keys and change the election access to secret keys and change the election results.results.

SafeguardsSafeguards

ll ComelecComelec should have enough precautions so should have enough precautions so that a that a root user is not needed to manually root user is not needed to manually interfere with the election programsinterfere with the election programs

ll In case of a breakdown, the root userIn case of a breakdown, the root user’’s activities s activities are all are all properly logged in publicly displayed audit properly logged in publicly displayed audit and log files in real time and log files in real time to be scrutinized by poll to be scrutinized by poll watchers.watchers.

ll The root user The root user must not be allowed to logmust not be allowed to log--in from in from remote / different locationremote / different location

What will happen if issues are not What will happen if issues are not addressed?addressed?

ll Unless these issues are addressed Unless these issues are addressed satisfactorily by satisfactorily by ComelecComelec, , SmartmaticSmartmatic, the , the ComelecComelec Advisory Council (CAC), the Advisory Council (CAC), the ComelecComelec Technical Evaluation Committee Technical Evaluation Committee (TEC), and the Joint Congressional (TEC), and the Joint Congressional Oversight Committee, the computerized Oversight Committee, the computerized elections in 2010 can lead to elections in 2010 can lead to computerized computerized cheating or failure of elections.cheating or failure of elections.

HOW YOU CAN HELPHOW YOU CAN HELP

AreaArea TasksTasks

Source Code ReviewSource Code Review System Administration, Keys and System Administration, Keys and Cryptography, Data Communications Cryptography, Data Communications and Processing, Event Handlingand Processing, Event Handling

IT ResearchIT Research Related Literature and TechnologyRelated Literature and TechnologyGeographical Info Geographical Info

SystemSystemResearchResearchEncodeEncode

Website DevelopmentWebsite Development Content managementContent managementMedia and PublicityMedia and Publicity Multimedia content production and Multimedia content production and

designdesignAdministrativeAdministrative TranscriptionTranscription

Contact InformationContact Information

ll Project OfficeProject Officell AES Policy Research Office, 3AES Policy Research Office, 3rdrd FlrFlr. (UP Law Library), UP . (UP Law Library), UP

College of Law (Malcolm Hall)College of Law (Malcolm Hall)

ll Contact No: 029299526 / 09064924266 Contact No: 029299526 / 09064924266 ll Email: Email: info@aes2010.netinfo@aes2010.netll AES Website: AES Website: http://www.aes2010.nethttp://www.aes2010.netll CenPEGCenPEG: : http://http://www.cenpeg.orgwww.cenpeg.org

3/F, College of Social Work and Community Development Bldg., University of the Philippines, Diliman, Quezon CityTelefax: +632-9299526 email: cenpeg@cenpeg.org; cenpeg.info@gmail.com website: http://www.cenpeg.org

, Philippines

BOARD OF DIRECTORS: Dr. Bienvenido Lumbera, Chair; Prof. Luis V. Teodoro; Dr. Eleanor Jara; Bishop Gabriel Garol; Atty. Cleto Villacorta; Ms. Evi-Ta Jimenez; Dr. Edgardo Clemente; Prof. Roland Simbulan; Prof. Bobby Tuazon; Dr. Felix Muga II

Dr. Temario Rivera, Vice-Chair;

CenPEG

Center for People Empowerment in Governance (www.cenpeg.org)

Automated Election System(AES) 2010 Policy Study (www.aes2010.net)

(A Project in Election Reform)

Office of the Dean, UP College of Law

BRIEFINGPhilippine Automated Election

System (AES) 2010Modernizing Democracy

or Modernizing Cheating?

4 – 5 – 6Major Issues in the Automated Election System (AES)

• 4 major legal issues

• 5 major technical issues

• 6 major mgt issues

• Undue delegation of legislative power• Foreign ownership / control• Generally, intolerable technical flaws• Violation of statutory provisions

• Source code (PCOS & CCS integrity)• Program integrity verification• Voter’s choice verifiability• Protection of transmitted data – digital signature• Root user / system administrator

• Choice of technology• Competence (Comelec & CAC)• Procurement / bidding• Geographic Information System (GIS)• IRR & adjudication process• Comelec’s constitutional mandate

IS COMELEC READY for AES2010?

MANAGEMENT ISSUES

August 13, 2009

THIS PRESENTATION• Choice of technology• Management competence• Procurement/bidding• Geographic Information System (GIS)• IRR & adjudication process• Comelec’s constitutional mandate

• Note: Comelec’s AES is the single, biggest fully-automated election project worldwide.

1. Choice of technology• Failure to consult the Filipino IT

community• Need to revisit RA 9369 (Sec.

37: as “technology evolves” and “suitable to local conditions”)

• PCOS-OMR system: does not enhance “secret voting, public counting” (transparency); limits voter’s rights

• Smartmatic-TIM’s P7.2-billion technology is cheap but sub-standard

• Automate only the correct and tested process

SAES 1800

2. Management competence• Automated election = clean

election, is an illusion• Going “full-blast” instead of by

phases (RA 9369 provides for pilot testing)

• Full automation without addressing systemic fraud

• Priority of speed – over promoting voter’s rights

• Heavy reliance on foreign expertise and technology (outsourcing): Outsource only a system that you know about

Management competence• Comelec lacks IT and infrastructure competence

(CAC report, October 2008)• Comelec Advisory Council (CAC) lacks

independence and competence• Senate: Comelec/SBAC lack “diligent scrutiny”• Tendency to short cut election preparations (e.g.,

in the Comelec calendar there is no schedule of source code review; disregard for safeguards & security measures)

• Flawed or inadequate continuity and contingency plans (also observed in a Senate committee hearing)

3. Procurement / bidding

• Legal questions (e.g., papers of incorporation; 60-40 sharing; was there a NEDA review?)

• Accounts about bending of rules to favor Smartmatic-TIM consortium

• Are Smartmatic-TIM “politically neutral” (Comelec bid rule)• Demonstration tests inadequate; controlled environment;

only hardware & external features shown (not the more crucial internal features such as software). Claim of “transparency” is superficial.

AES study/CenPEGphotos

4. Geographic Information System (GIS)

• Comelec has no functional GIS for AES’ 80,000 PCOS machines, 1,800 CCS machines

• In the 2008 ARMM automated polls (Comelec’s “pilot test”): Technical, manpower and environmental problems

• NEDA 2007 report: government IT infrastructure 90% failure; most public websites can be hacked -NCC

• Contingency plans, safeguards & security measures for GIS-related vulnerabilities are imperative

5. Lack of IRRs & adjudication process

• Since RA 9369 became a law (January 2007), there is no IRR

• Either the law is unclear or Comelechas no measures with regard to AES-generated election protests (adjudication process)

6. Comelec constitutional mandate

Has Comelec abdicated its constitutional mandate to manage & administer the elections?

• 90% of election administration is entrusted to Smartmatic-TIM

• Comelec: “Trust the machines”; “It’s up to Smartmatic-TIM”

• To critics of AES: “fear mongering”; promoters of “No-El”; “Trust the Comelec”

• Commission of Smartmatic-TIM?

CONCLUSION: Some questions• Is the AES system really a “Dream Poll”? Or is it designed to

fail?• Given the inadequate preparations and the fluid political

situation, will there be a failure of election in May 2010?

• Sen. Dick Gordon: “If this automation will just be worse than the manual, then I will not support it, even if I authored the law.”

• Senate President Juan Ponce Enrile: “Failure of election will spark a revolution!”

AES study/CenPEG photo

• Trust is built over time.• To trust the machine, know how it

operates.• Who controls the technology,

controls the votes.

- END -

1

COMELECSMARTMATIC

PAYMENT TERMSDISHONEST?CRIMINANL?

FOOLISH?

Mr. Manuel Alcuaz’s Reactions

2

RFP WAS 56PAGES LONGBUT HAD NOTERMS OF PAYMENT!

3

P 1, 795 BillionPayment Innovations

__________________________________• Project Initialization, Setup Project Management 10%

Team (PMT) and Project Systems including all SW licenses and firmware

• Delivery of Development Set (20 Units) 5%• Report on Transmission and Logistics 5%• Delivery of Functional System and Software 5%

Agreement_______________________________________________

4

NOT in RFP!NOT in

SmartmaticFinancialProposal

5

PROJECT INITIALIZATION, SETUP PROJECT MANAGEMENT TEAM (PMT) AND PROJECTSYSTEMS INCLUDING ALL SW LICENSES

AND FIRMWARE 10%_______________________________________________________________________

Payment Term Financial Proposal_______________________________________________________________

ComponentsProject ManagementP 99,999,999.00PCOS ApplicationP20,786,802.18!BMS ApplicationP21,223,021.07

P 719million

________________________________________________________________________

How can setting up be many times more than doing the job?

6

DELIVERY OF DEVELOPMENT SET(20 UNITS)

_______________________________________________

Payment Term Financial Proposal_______________________________________________________________

Actual cost

P45,419 x 20

=P 908, 380

P 359MillionNearly P18Million per unit________________________________________________________________________

7

REPORT ON TRANSMISSION AND LOGISTICS_______________________________________________

Payment Term Financial Proposal_______________________________________________________________

Provision for ElectronicTransmission P200million (P 199,999,997.51)Total warehousing,deployment and pull out,

P916,581,355.

P 359Million Report(written on gold paper?)

______________________________________________________________________

How can a report be 30% of the actual services?This will make the Guinness Book of Records!

8

Delivery of Functional System and Software Agreement_______________________________________________

Payment Term Financial Proposal________________________________________________________

Analysis and Design for EMS and PCOS and CCS all P0.00Tools and Programs forEMS, PCOS, and CCS allP0.00

P 359Million

______________________________________________________________________

Section 7.3 p 30 of RFP states “The ownership of the Analysis, Design, and executable programs ofall the application develop should be given to COMELEC at no additional cost”What is COMELEC paying for?!