Win the votes, but lose the AES count?

It may seem unlikely, but it is possible for a candidate for a national post to win enough votes to get elected but lose in the computerized count of the Automated Election System (AES) if adequate safeguards are not adopted early.

That’s why many voters are worried why almost everybody – including the opposition! – is so quiet about checking the technical preparations for the May 9 national elections under the AES established by RA 8436.

There is an eerie silence inside and outside the Commission on Elections about adopting more safeguards or protocols to ensure that the computerized system is not compromised and that it will faithfully ascertain and report the electorate’s verdict.

Such protocols should be discussed openly with political parties, election watchdogs and technical groups, then adopted and announced early enough.

The vaunted 100,000-plus Vote Counting Machines (VCMs) to be deployed in the polling precincts nationwide are only as good or as bad as they are used/misused under the caveat “Garbage in, garbage out.”

The AES law mandates that at least three months before Election Day, local parties must be able to review the source code of the hardware. The elections are just 38 days away but we have not heard of political parties, among interested groups, having reviewed the source code.

The source code is the human-readable copy of the instructions in binary code installed in the computers. The review would help assure all parties that no malicious instruction had been inserted and that the machines would work the way they should.

Last Thursday, we gave as a crude example of a malicious instruction that could be inserted in the source code a line in the tenor of “for every five votes for Candidate A, credit one of the five votes for Candidate B.”

The industry practice for election systems is to secure the international certification of the source code. Is there an official statement that Comelec has done this? If there’s none, isn’t it rather late to rush one and publish it?

Another safeguard issue is on the use of personal digital signatures of the members of the Electoral Board on the electronic election returns, and of the members of the Board of Canvassers on the electronic certificates of canvass.

The EB and BoC members initiate the machines’ digital signing process by using passwords generated by the VCM vendor and the Comelec. There must be a way to independently verify the authenticity of the digitally signed and electronically transmitted election reports.

The Electronic Commerce Act (RA 8792) gives legal recognition to an electronic signature as the equivalent of a person’s written signature. An electronic signature may be executed by a person using what is called the public key infrastructure (PKI).

A person’s digital signature affixed to an electronic document is unique to that electronic document and protects it against tampering.

The National Citizens’ Movement for Free Elections (Namfrel) has been advocating the proper implementation of the digital signing of election reports generated by the VCMs and the canvassing and consolidation servers.

Some political parties and concerned groups are also insisting that all hardware involved in the elections be identified on a certified master list that shows their IP (Internet Protocol) addresses and physical locations.

Some VCMs, with apparent access to the system, were discovered in a previous election to have been operating secretly in a private location. But the investigation simply stopped and nothing more was heard about it. What steps are being taken to prevent this from recurring?

It has been noticed also that VCMs in some precincts broke down or malfunctioned during the startup or the voting. There are technicians ready to troubleshoot, including their using a reconfigured SD (Secure Digital) Card or bringing in a VCM replacement.

What are the agreed protocols and procedures when this happens? How sure are we that a replacement VCM has not been pre-programmed for cheating? Who can check that possibility except for the technician himself that brought it? Are all technicians trustworthy?

Are the chair and/or members of the Electoral Board trained and technically qualified to check or reset malfunctioning machines?

It could happen that the technician who was called in just tinkers with the machine or replaces its SD Card with one that he has with him. How sure are we that he has not been bribed to reset the VCM with his unique SD Card and make the machine operate in a prearranged manner?

It has been shown that an SD Card such as one carried by a technician could have been reconfigured to load an instruction that will show initially a clean restart of the machine but produce later the desired vote count for that precinct.

It has been strongly suggested that in a precinct where the VCM had malfunctioned, or where the SD Card had been reconfigured or replaced, or where transmissions had faltered, a manual count of the votes be conducted – and the manual count be the official count in that precinct.

If the adoption of needed safeguards or protocols is further delayed, deliberately or otherwise, the Comelec might announce that there is no more time to debate the matter – and ask everybody to just say Amen.

The sensitive situation could blow up into a crisis if the anticipated problems do crop up after a presidential candidate has been proclaimed winner, sworn in and invested with the awesome powers of the Chief Executive.

*      *      *

NB: All Postscripts are also archived at ManilaMail.com. Author is on Twitter as @FDPascual. Email: [email protected]