Voting with the modern ballot

In Automation, educ/info on 1 September 09 by jimenez Tagged: , ,


Using the modern ballot is this easy.



32 flavors and then some

In Automation on 31 August 09 by jimenez


If anything, it’s not the science that will scuttle automation, but the press releases.

Here’s the latest release – and the same old “warnings” about the “more than 30 vulnerable spots.”

A political analyst has warned that the Philippines may actually end up with an “automated disaster” in next year’s elections if the Commission on Elections (Comelec) and the consortium Smartmatic-TIM failed to install safeguards and security measures on more than 30 vulnerable spots of the automated election system (AES).

Prof. Bobby Tuazon of the Center for People Empowerment in Governance claimed that they have identified at least 30 vulnerable spots in the AES, stressing the list is growing and may lead to a “disastrous” elections.

We have repeatedly asked for a list of these more than 30 – and growing … kinda like that ice cream with 32 flavors and then some – vulnerablities. In fact, in a recent letter (26 August 2009 actually) sent out by Atty. Ferdinand Rafanan, we formally reiterated this request.

More than a mere briefing, the Commission would appreciate a copy of your “19-page, 3-month policy study on the Automated Election System of the COMELEC,” together with the full documentation as per your claim of having the “first comprehensive study.” This should properly support your findings on the alleged “disturbing vulnerabilities in the AES.”

Still, CenPEG – perhaps with excellent media savvy – continues to flail away with its vague rumblings of impending doom.

“The system’s vulnerabilities make the whole AES fragile and prone to internal rigging, tampering, retail and wholesale cheating all over the country,” he noted.

Tuazon said the vulnerable spots were in place in the whole system from ballot printing, warehousing of the counting machines, hardware and software deficiencies, voting, counting, electronic transmission of votes to canvassing and proclamation of winners.

“The alarming list, however, does not include yet the weak spots in the infrastructure system such as telecommunications, phone and electric lines, and cell sites,” he stressed.

Other vulnerable spots are the lack of a source code review, possible lapses in the digital signature, possible unofficial access to the canvassing servers, and the lack of voter’s verifiability.

He said the review of the source code by independent ICT experts and other “interested parties,” which the election modernization law (Republic Act 9369) requires, can verify whether the counting and canvassing are done properly and no cheating is possible.

Tuazon added his group is airing this concern to prevent the same scenario that took place during the 2008 elections in the Autonomous Region in Muslim Mindanao when the Comelec failed to review the source codes in that poll exercise.

Now, inasmuch as I am quoting from what is presumably a press release, I imagine that Tuazon was merely mistaken when…

He also noted that the Comelec has yet to respond to CenPEG’s official request last May 26 to provide the source code for review.

… since on the 26th of August, the COMELEC did respond to him and various other consultants of CenPEG on precisely the issue of the source code.

Of course, if he wasn’t merely mistaken, then he was just lying.

Speaking of lying, do you know how internet hoaxes are identified? Among other things, investigators look for details that seem calculated to generate the most revulsion or fear. The “gross-out” factor, they call it. Incidentally, in this latest press release of CenPEG, the “freak-out” factor is slathered on a bit too thickly.

“The more than 30 vulnerable spots should even prompt the Philippine National Police to revise its list of six election hot spots. The infrastructure system may even be vulnerable to jamming, sabotage and other threats by some groups with the intent to cause a failure of election or manipulate election returns,” he stressed.

“Election hot spots” should not begin and end with the incidence of violence, Tuazon said.

“But in the 2010 automated poll, the whole country is an election hot spot,” he added.

If a place is violent enough to warrant being called an area of concern – the hotspot Tuazon’s referring to – I doubt that jammed up PCOS machines will be high on the list of police priorities. It betrays a sorry – especially so since CenPEG claims a pedigree of election monitoring – misunderstanding of how hotspots are identified and dealt with.

For one thing, with or without an automated system in place, areas of concern remain so because of their history, because of the political rivalries in that area, or because of that area’s location relative to on-going armed conflicts. There is absolutely no reason – apart from the desire to spread fear – to imagine that having a counting machine in a particular precinct will make that precinct more vulnerable to violence. That is arrant nonsense.

Tuazon also asked the Comelec “to stop spreading the illusion that with technology everything is A-OK and for Smartmatic-TIM to refrain from hyping about a ‘dream poll’ because both claims are unfounded.”

We’ll stop re-assuring the public maybe when you stop scaring them, Mr. Tuazon. I think that sounds fair. After all, when you talk about assurances being unfounded, one wonders what the basis for your fears are. It’s very clear that everything CenPEG has been harping on has been founded simply on what-if’s and could-be’s. Awesome basis for stampeding the people back into the arms of the flawed manual system.



Do not disappoint

In 2010, Automation, COMELEC on 29 August 09 by jimenez

I was at a radio station today, fielding questions about automation, and I noticed something very interesting. Most of the callers and texters wanted to know how the process works. They were very eager to understand how automation promises to change the voting experience. In marked contrast, the questions coming from the hosts were focused almost exclusively on what could go wrong.

It was, needless to say, a schizophrenic experience.

But an important lesson too. The people, it seems, are truly ready for this change and the fear that some quarters claim is widespread, is nothing of the sort.

Unfortunately, those who are supposed to be in a better position to intelligently handle their apprehensions – which are, after all, a normal aspect of any major change – seem to be the ones proving to be quite unable to. They latch on to the vague and half-explained scenarios of doom as though they were repeating gospel truth; they scare themselves sleepless worrying about concepts they do not even completely grasp simply because this expert or that PhD., seemed to be worried even more and, well, God-forbid that we be considered bumpkins because we didn’t fear the same things these sophisticates are all a-tremble over.

And so, you have lawyers and businessmen, judges and academics, all spouting the same half-truths and misrepresentations being peddled by those who would see the country yet again prevented from discarding a flawed electoral system.

They often preface their attacks with “I’m in favor of automation, what assurance can you offer that  ….” insert doomsday scenario here. The funny thing is, when provided with explanations and assurances they cannot poke holes in, they end up waving it off and resorting to their ultimate fall-back – “we can’t trust the COMELEC.”

Even funnier, some take issue with the fact that explanations are forthcoming. Those people leave me scratching my head. I’m like, so you would prefer it if we didn’t have an answer to your concerns? But then again those are the people who convince me that theirs is not to really improve the plan through principled and constructive criticism, but rather to tear it down by endlessly repeating their shibboleths until ordinary people can no longer distinguish between what they’re saying and what the truth is.

Sadly, these people who can no longer distinguish between what is for real and what are scare-tactics include critical decision makers and influencers and shapers of opinion. These people who, because of what they represent in society, are supposed to be able to think more clearly and to see better when the need for audacity outweighs timorous quivering. Instead, they seems to be all rushing to the forefront of the retreat from the future.

Thankfully, they seem to be doing all the retreating all by themselves. Out in the streets, in the schools, in the business establishments, in the various forums, people are excited about automation. They want to see it happen. They are eager for this next step. The challenge for the COMELEC therefore, is very simple.

Do not disappoint.


La Verdad

In 2010, Automation on 24 August 09 by jimenez Tagged: , , ,

In an article out of the VERA files, Garcillano is once again being invoked as a boogeyman to spook the people into rejecting the automation of the 2010 elections. I’ve linked to the article, so I’ll just go straight into it and offer up a few clarifications.

Manaslatas laid out the possible scenarios: What if the two special felt-tip pens allotted per precinct dry up before voting ends and voters have nothing to write their choices with? What if the counting machine gets jammed when ballots are being fed to it? What if the local GPRS connection is bad and slows the transmission of the results from the precincts to the municipal or city canvassers? Or what if someone snatches the laptop computer at the canvassing center?

Seriously? Felt-tip pens running dry are gonna muck up the elections? It seems to me unfortunate that Dr. Manalastas thinks that the COMELEC is so benighted that we would willingly let the election be hostage to dried up magic markers.

He then asks, what about jammed counting machines? The COMELEC’s continuity plan, presented to the Senate and the Supreme Court, features a machine replacement protocol that calls for the defective or malfunctioning PCOS to be replaced within two hours from the time the decision to replace the unit was made.

Bad GPRS connection? Again, the COMELEC’s deployment plan provides for redundancies such that if one mode of transmission fails an alternate mode kicks in. In any case, signal strength fluctuates, yes? It is highly possible that the poor signal you’re cussing out now will pick up in a few minutes, so this isn’t really a major cause of concern. And as for a laptop being snatched from the canvassing center … a canvassing center is more secure than a bank, what with the press of human bodies all eager to witness the canvassing. And anyway, in the unlikely event that something of the sort does happen, Dr. Manalastas forgets that there is a back-up set of data – whether they be election returns or municipal or provincial reports – in the COMELEC central server and the servers of the citizen’s arm, the dominant majority and minority, the KBP, and on the public website. Snatching the canvassing laptops only delays the process. It. is. not. fatal.

But these scenarios aren’t as worrisome as what else could happen: The whole system could be rigged, and all computers—from those at the precincts all the way to those at the Commission on Elections and Congress that will canvass the results for the senatorial and presidential elections—could be pre-programmed to make certain candidates win.

How could this happen?

The Precinct Count Optical Scan (PCOS) machines could arrive at the precincts with prepared ballot images and election results already inputted into the system, and the computers for canvassing with prepared Certificates of Canvass (COC) and Statements of Votes (SOVs). And at any stage of the elections, someone who has the root password could log into the system from a remote site and control the canvassing computers—and the canvassers wouldn’t even know. This could happen as early as municipal canvassing because the computer will stay connected to the network for 24 to 72 hours via modem starting at 6 p.m. of election day.

In brief, Dr. Manalastas posits that: first,  the PCOS might arrive at the polling places pre-loaded with results – kinda like a new Mac; and second, that someone can log into the canvassing computers and monkey with the results.

As to the first, Dr. Manalastas forgets that COMELEC procedure calls for the run-through of the system very close to election day during which it will be demonstrated that the machines have nothing pre-loaded in them. The machines are then physically sealed and kept under 24-hour guard to make sure that no one gets the opportunity to do anything with them. Then, on election day itself, the PCOS will be made to print out an initialization report – again to prove that there are no pre-loaded results in them.

As to the second, Dr. Manalastas posits that someone can remotely control the canvassing system, effectively possessing the things and, I don’t know, making them spit out funky numbers or something. Fortunately, this is highly unlikely.

The building blocks of election results are the election returns. Those come from the precincts. The canvassing centers only add up the election returns. Very simple maths.

Now, if some remote controller did exist and if he did get access to the canvassing computers, all he can really do is funk up the way the addition is being done at that level. He can’t do anything to the election returns. Why? Because the PCOS won’t be connected to the network except for the two-minutes it takes to transmit election results to: the municipal canvassing center, the provincial canvassing center, the COMELEC central back-up server, the servers of the … you know the drill.


So, even if a haxxor did get into the canvassing system, he still wouldn’t be able to affect the building blocks of the final election results – the election returns – and a faithful canvass will still be achievable via the multiple parallel transmissions made from the precinct. In fact, as Dr. Manalastas himself said:

Because the PCOS machines will be stand-alones during elections and will only be connected via modem when voting has ended, Manalastas said external hacking will be difficult.

But still, Dr. Manalastas’ fears persist.

Comelec required Smartmatic-TIM to generate 246,6000 pairs of private and public keys or digital signatures, a security feature, for all members of the Board of Election Inspectors and Board of Canvassers. The public keys will be issued to the election personel, but Smartmatic gets to keep the private keys.

“By having possession of private keys, Smartmatic can make changes in the precinct ERs without anyone knowing,” Manalastas warned.

He said Smartmatic or Comelec could prepare precinct ERs with the counts for every candidate and could sign these with the private keys a few days before election and leave these in the PCOS machines.  “When they deliver to the precincts, tapos na ang eleksiyon (the election is over),” he said.

To reiterate, pre-fabricated ERs are not gonna pop-up because of the procedures that the PCOS have to go through before actual election day operation. And hacking cannot insinuate a pre-fab ER into the canvassing process either, because the election returns are sent out to multiple recipients. So, a fake ER will be very obviously that: a fake. And an obvious fake is pretty pointless.

The IT consultant also revealed the lack of a program verifier and a file verifier in the PCOS and CCS.

The program verifier checks if the election programs installed in the computers are indeed the originally approved programs. The file verifier, on the other hand, checks if there are prepared ballot images, precinct ERs, COCs and SOVs.

Again, this objection proceeds from the presumption that the PCOS will arrive at the polling places pre-loaded with winners. Hence, the need for program verifiers and file verifiers. But again, seeing as how the machines will be made to prove the ’emptiness’ of their memories before they are used on election day, these things that Dr. Manalastas bewail the lack of might not be all that crucial.

Manalastas said the Comelec also chose to disable a feature in the PCOS that would allow the voter to verify his or her vote before casting even when the poll automation law specifies voter verifiability of his or her choices.

But remember that the voter fills up a paper ballot which he -himself – then feeds into the counting machine. That’s your voter verification right there. Seriously, the voter verification requirement is critical mostly in DRE systems where there is no physical ballot to speak of. But with a paper ballot, the voter gets every opportunity to verify his vote before even feeding it into the counting machine.

The computer expert expressed concern that Smartmatic-TIM is providing only 2,200 backup PCOS units even after it acknowledged a breakdown rate of up to 10 percent of its machines. This means it should provide 8,000 backup units, he said.

With the 2,200 backups, the COMELEC is able to put a continuity plan into play that would ensure replacement of defective units within two hours. Considering that the elections will be spread out over the whole country, that standard pretty much means that 2,200 units are enough to cover the contingencies. In any case, replacement isn’t the only option. There are several layers to the continuity plan – which were detailed to the Joint Congressional Oversight Committee and which are being explained in various public fora being undertaken by COMELEC – which provide solutions for breakdowns without necessarily having to resort to replacement.

As to Dr. Manalastas’ fears about the source code review, the Technical Evaluation Committee – tasked by RA 9369 to take point on this matter – is expecting to start the code review by September.

I hope these truths help.



In 2010, Automation on 24 August 09 by jimenez Tagged: , , , ,

I’ve recently posted a few notes on Facebook. Since it’s a little tedious to actually re-post them all here, I’ll just give you the links.

Everybody a Quick-Counter was also cross posted over at Philippine Commentary.


new digs

In Journal on 17 June 09 by jimenez

I moved to



In Automation on 17 May 09 by jimenez Tagged: ,

Can you say “overacting?”

The public response to Chairman Jose Melo’s avowed nightmare scenario seems overboard, doesn’t it?

Of course no one wants the elections to be canceled – least of all the COMELEC. What good would that do us?

Think about it for awhile. These reactions to what Melo said are underpinned by one basic idea: that no one has actually considered the possibility that some disgruntled group might actually file a case with the Supreme Court seeking to enjoin automation, with the Court actually issuing a temporary restraining order, or – worse – not issuing a TRO and then, with the elections coming up, suddenly voiding the automation contract. If that happens close enough to the polls, then how can the COMELEC possibly prepare for an election?

Legarda said in a statement: “Who gets to benefit from a no-election scenario? Isn’t it the administration? Now comes the Comelec doing a mind conditioning of its own, wittingly or unwittingly, by saying that losing bidders may sue to stop not only poll automation but the election itself.”

First of all, losing bidders cannot sue. And mind conditioning? Hardly. Call it prudence instead, that we are telling the people what the possibilities are without sugar-coating the more nasty ones. The truth is, the people must know that if and when a suit is brought before the SC to shoot down automation, they must be doubly vigilant that it is not frivolous or founded on some misplace professional pride or based on a warped idea of patriotism.

More to the point, the public must know that their rests a very significant responsibility on the shoulders of the SC to be very careful about what suits to entertain and – as a learning from the 2004 experience – to be very cautious about scuttling the project so close to election day.

Escudero, chair of the Senate oversight committee on poll automation, said if the bidding process was above board, “he (Melo) should be able to sleep well.”

With all due respect to the Senator, a spotless bidding process does not guarantee that no suits will be filed. It’s not only the bidders that can bring suit, after all. The automation contract is an expenditure of public funds, hence it can be a very tasty target for a taxpayer’s suit. Which means that practically anyone can gun for it. This includes people who are fronting for losing bidders and anyone who thinks that he knows better than a Constitutional body how it’s job should be done. In the latter category, count everyone who thinks that automation should not be nationwide, or should not be for all races. Include also everyone who claims to know information technology and has a thousand and one ideas on how things should be conducted. And of course, it is the blind man who ignores that there is a certain nihilistic thrill to scuttling a government project of this magnitude.

Secretary Gonzalez said talk of a no-election would only “fan the sinister imagination of critics.” He said there would “always” be elections because “we can always revert to the old [manual] system.”

True enough. But then again, what if the SC were to void the contract too close to the elections? Say, three months before? We all would like to think that the SC would not do such a thing, but what if it did? Are we supposed to ignore that possibility and so, not prepare for it?

Because really, that’s all there is to it: acknowledging the possibility of a problem and preparing for it. We know that there is no way we can guarantee that some person or group won’t get it into their heads to second-guess the COMELEC. The least we can do, therefore, is to warn the public – and everyone else who might find it in their power to do the right thing – of the dire consequences of a suit filed late, or an SC decision promulgated even later.