COMMISSION on Elections spokesperson James Jimenez on Monday answered point by point the questions raised by computer expert Pablo Manalastas in connection with next year’s automated elections, including the possibility of computerized cheating. Following is the full text of his reply (La Verdad), which appeared in his blog:
In an article out of the VERA Files, Garcillano is once again being invoked as a boogeyman to spook the people into rejecting the automation of the 2010 elections. I’ve linked to the article, so I’ll just go straight into it and offer up a few clarifications.
Manaslatas laid out the possible scenarios: What if the two special felt-tip pens allotted per precinct dry up before voting ends and voters have nothing to write their choices with? What if the counting machine gets jammed when ballots are being fed to it? What if the local GPRS connection is bad and slows the transmission of the results from the precincts to the municipal or city canvassers? Or what if someone snatches the laptop computer at the canvassing center?
Seriously? Felt-tip pens running dry are gonna muck up the elections? It seems to me unfortunate that Dr. Manalastas thinks that the COMELEC is so benighted that we would willingly let the election be hostage to dried up magic markers.
He then asks, what about jammed counting machines? The COMELEC’s continuity plan, presented to the Senate and the Supreme Court, features a machine replacement protocol that calls for the defective or malfunctioning PCOS to be replaced within two hours from the time the decision to replace the unit was made.
Bad GPRS connection? Again, the COMELEC’s deployment plan provides for redundancies such that if one mode of transmission fails an alternate mode kicks in. In any case, signal strength fluctuates, yes? It is highly possible that the poor signal you’re cussing out now will pick up in a few minutes, so this isn’t really a major cause of concern. And as for a laptop being snatched from the canvassing center … a canvassing center is more secure than a bank, what with the press of human bodies all eager to witness the canvassing. And anyway, in the unlikely event that something of the sort does happen, Dr. Manalastas forgets that there is a back-up set of data – whether they be election returns or municipal or provincial reports – in the COMELEC central server and the servers of the citizen’s arm, the dominant majority and minority, the KBP, and on the public website. Snatching the canvassing laptops only delays the process. It. is. not. fatal.
But these scenarios aren’t as worrisome as what else could happen: The whole system could be rigged, and all computers—from those at the precincts all the way to those at the Commission on Elections and Congress that will canvass the results for the senatorial and presidential elections—could be pre-programmed to make certain candidates win.
How could this happen?
The Precinct Count Optical Scan (PCOS) machines could arrive at the precincts with prepared ballot images and election results already inputted into the system, and the computers for canvassing with prepared Certificates of Canvass (COC) and Statements of Votes (SOVs). And at any stage of the elections, someone who has the root password could log into the system from a remote site and control the canvassing computers—and the canvassers wouldn’t even know. This could happen as early as municipal canvassing because the computer will stay connected to the network for 24 to 72 hours via modem starting at 6 p.m. of election day.
In brief, Dr. Manalastas posits that: first, the PCOS might arrive at the polling places pre-loaded with results – kinda like a new Mac; and second, that someone can log into the canvassing computers and monkey with the results.
As to the first, Dr. Manalastas forgets that COMELEC procedure calls for the run-through of the system very close to election day during which it will be demonstrated that the machines have nothing pre-loaded in them. The machines are then physically sealed and kept under 24-hour guard to make sure that no one gets the opportunity to do anything with them. Then, on election day itself, the PCOS will be made to print out an initialization report – again to prove that there are no pre-loaded results in them.
As to the second, Dr. Manalastas posits that someone can remotely control the canvassing system, effectively possessing the things and, I don’t know, making them spit out funky numbers or something. Fortunately, this is highly unlikely.
The building blocks of election results are the election returns. Those come from the precincts. The canvassing centers only add up the election returns. Very simple maths.
Now, if some remote controller did exist and if he did get access to the canvassing computers, all he can really do is funk up the way the addition is being done at that level. He can’t do anything to the election returns. Why? Because the PCOS won’t be connected to the network except for the two-minutes it takes to transmit election results to: the municipal canvassing center, the provincial canvassing center, the COMELEC central back-up server, the servers of the … you know the drill.
So, even if a haxxor did get into the canvassing system, he still wouldn’t be able to affect the building blocks of the final election results – the election returns – and a faithful canvass will still be achievable via the multiple parallel transmissions made from the precinct. In fact, as Dr. Manalastas himself said:
Because the PCOS machines will be stand-alones during elections and will only be connected via modem when voting has ended, Manalastas said external hacking will be difficult.
But still, Dr. Manalastas’ fears persist.
Comelec required Smartmatic-TIM to generate 246,6000 pairs of private and public keys or digital signatures, a security feature, for all members of the Board of Election Inspectors and Board of Canvassers. The public keys will be issued to the election personel, but Smartmatic gets to keep the private keys.
“By having possession of private keys, Smartmatic can make changes in the precinct ERs without anyone knowing,” Manalastas warned.
He said Smartmatic or Comelec could prepare precinct ERs with the counts for every candidate and could sign these with the private keys a few days before election and leave these in the PCOS machines. “When they deliver to the precincts, tapos na ang eleksiyon (the election is over),” he said.
To reiterate, pre-fabricated ERs are not gonna pop-up because of the procedures that the PCOS have to go through before actual election day operation. And hacking cannot insinuate a pre-fab ER into the canvassing process either, because the election returns are sent out to multiple recipients. So, a fake ER will be very obviously that: a fake. And an obvious fake is pretty pointless.
The IT consultant also revealed the lack of a program verifier and a file verifier in the PCOS and CCS.
The program verifier checks if the election programs installed in the computers are indeed the originally approved programs. The file verifier, on the other hand, checks if there are prepared ballot images, precinct ERs, COCs and SOVs.
Again, this objection proceeds from the presumption that the PCOS will arrive at the polling places pre-loaded with winners. Hence, the need for program verifiers and file verifiers. But again, seeing as how the machines will be made to prove the ‘emptiness’ of their memories before they are used on election day, these things that Dr. Manalastas bewail the lack of might not be all that crucial.
Manalastas said the Comelec also chose to disable a feature in the PCOS that would allow the voter to verify his or her vote before casting even when the poll automation law specifies voter verifiability of his or her choices.
But remember that the voter fills up a paper ballot which he -himself – then feeds into the counting machine. That’s your voter verification right there. Seriously, the voter verification requirement is critical mostly in DRE systems where there is no physical ballot to speak of. But with a paper ballot, the voter gets every opportunity to verify his vote before even feeding it into the counting machine.
The computer expert expressed concern that Smartmatic-TIM is providing only 2,200 backup PCOS units even after it acknowledged a breakdown rate of up to 10 percent of its machines. This means it should provide 8,000 backup units, he said.
With the 2,200 backups, the COMELEC is able to put a continuity plan into play that would ensure replacement of defective units within two hours. Considering that the elections will be spread out over the whole country, that standard pretty much means that 2,200 units are enough to cover the contingencies. In any case, replacement isn’t the only option. There are several layers to the continuity plan – which were detailed to the Joint Congressional Oversight Committee and which are being explained in various public fora being undertaken by COMELEC – which provide solutions for breakdowns without necessarily having to resort to replacement.
As to Dr. Manalastas’ fears about the source code review, the Technical Evaluation Committee – tasked by RA 9369 to take point on this matter – is expecting to start the code review by September.
I hope these truths help.