(Last of two parts)
First part: http://www.manilatimes.net/comelec-will-not-comply-with-e-commerce-law-in-2016-elections/244064/
Why would DOST offer their digital signing facility to Comelec?
Because it is the right thing to do in compliance with AES Law and e-Commerce Law! The DOST has already offered the PNPKI services to Comelec for 2013 and 2016 elections. Hereunder are some points discussed in the [Joint Congressional Oversight Committee on the Automated Elections System (JCOC-AES] hearing at the Senate on August 6, 2015 presided over by Sen. Koko Pimentel, Chairman of the JCOC, regarding digital signing.
MR. CASAMBRE(from DOST). …Actually, even in 2013 we have been working with Comelec as far as the digital signatures are concerned. I think in 2013 we issued 200,000 digital signatures. And yes, sir, the national public key infrastructure is already operational. It’s being rolled out across government. And, of course, the Comelec is more than welcome to use it.
THE CHAIRMAN(Sen. Pimentel). …ano public key—private key?
MR. CASAMBRE. Sir, basically, that is the infrastructure necessary to implement the digital signatures mentioned in the E-Commerce Law.
THE CHAIRMAN. Yes. Pero akala ko ang digital signatures na inano ninyo is the BEI person generated digital signature. I don’t think—this is machine generated. Ano ba iyang 200,000 na iyan?
MR. CASAMBRE. …they are encryption codes assigned to individuals or to machines…
THE CHAIRMAN. So meaning to say, you can now assign a code to a person?
MR. CASAMBRE. Yes, sir.
Digital signing was further discussed in the JCOC hearing on September 17, 2015. Below are some of the highlights
MR. C. LIM (Commissioner Christian Lim).….But for information, Your Honor, we tried to coordinate with DOST for data….what we wanted was that they generate a list of digital signatures. But under the protocols, they cannot do that unless there is a personal handshake between the BEI and DOST. That will have a logistical nightmare on the part of the Comelec….So…the danger of the BEI, assign[ed]a personal signature, does not show up on election day, then basically you have a failure of election…
MR. CELIS. If I may ask, how long will it take to implement the digital signatures or the personalized digital signatures?
MR. C. LIM. We are scheduled for configuration starting January so all the digital signatures should be in before January. And if you look at the entire country, we are looking at 300,000 BEIs…
MR. CELIS. …there should also be a contingency plan just like in our concern about transmission…If the BEI or even the board of canvasser would not be able to show up, then there has to be a contingency plan….
MR. VILLORENTE (from DOST). …I just wanted to comment regarding the digital signature. There are two steps to the process: One is signing; the other is validation of the signature. The requirement under the law…is for the attachment of that signature itself. But Comelec…is concerned about the logistics of getting the certificates inside the configuration which is…only required if you are validating the signature. But if you’re only just attaching, then you don’t need the certificates in the configuration itself because you can just accept the document as signed but need not validate it. The use for that would be for post audit. If you want to do post audit on the result, you can check who actually signed it as far as the BEI member or even the BOC member…But then if they are concerned about the logistics, then they can opt not to include the certificates in the configuration by not requiring the validation anymore during the canvassing. But that can be done as post audit…
MR. CELIS. So how long will it take to validate the digital signatures, Director Villorente?
MR. VILLORENTE. It’s less than—one second…
It’s very clear in the JCOC hearings that the DOST scientists know what they have been saying about the meaning of digital signatures which the lawyers in Comelec refuse to understand. They would always depend on Smartmatic’s definition that the ‘machine’ digital signatures represent the signatures of BOCs and BEIs as what a Smartmatic lawyer explained in an oral argument in the Capalla case in the Supreme Court. But what is surprising about the PCOS forensics report in 2010 is that it revealed that there’s no evidence regarding the existence of the machine digital signatures which Smartmatic was claiming to exist. Thus, Smartmatic is deceiving us Filipinos! Said lawyer reminds me of a Pope centuries ago who once said that the Earth is flat!
The wrong interpretation of Comelec with the implementation of “resibo” or the Voter Verified Paper Audit Trail (VVPAT) is quite similar to their incorrect interpretation with digital signatures. It’s good that one of the authors of RA9369, Sen. Dick Gordon, came out into the open to push Comelec to comply with the printing of the VVPAT.
Does Comelec really know the true meaning of Digital Signatures?
Yes, they know! The Senior Staff of Comelec were even trained by ePLDT in 2003 on how to use the Verisignsystem (now called Norton) in generating the digital signatures of the BEIs and BOCs. You may check their training program with ePLDT and view the same at: __________________. Verisign, which is commonly used by local banks in providing their internet banking facilities, has been around for almost two decades now. You’d see its logo in the main page of a bank’s website as a check mark. Digital signing is an information security method to ensure that the one transacting is not a bogus person. That is true in banking and so with our automated election system.
Further, the Request For Proposal (RFP), dated March 11, 2009, for the solutions, terms & conditions for the automation of the May 10, 2010 synchronized national and local elections states in page 17 that the system shall transmit digitally signed and encrypted election results and reports enabled by public/private key cryptography to provide authenticity, integrity and non-repudiation utilizing at least 128-bit encryption scheme. In short, Comelec knew already about cryptography or the use of Public Key Infrastructure (PKI) for the digital signing of BEIs and BOCs; they had an intention then to implement.
So why didn’t Comelec implement it in 2010 and 2013? I could only surmise that Smartmatic could not do it! Hence, Comelec has refused to understand the true meaning of the digital signatures for six years now.
What’s the recommendation of the CAC?
From the report dated January 2014, pp. 33 to 34, the Comelec’s Advisory Council or CAC is recommending digital signatures for BEIs and BOCs for the upcoming 2016 and succeeding elections using the available Philippine National Public Key Infrastructure (PNPKI) and not to use the machine digital signatures allegedly used in 2010 and 2013.
Section 9 of RA 9369 stipulates that the CAC shall be the Comelec’s technical arm and shall provide advice and assistance in the review of the systems planning, inception, development, testing, operationalization, and evaluation in the different AES implementation stages. But unfortunately, the technical arm of Comelec is not the CAC but actually the Smartmatic!
What’s the use of the CAC when Comelec violates this provision of the law? Should we amend the law and abolish CAC? The CAC has already recommended to use the PNPKI of DOST for the digital signatures of BEIs and BOCs but Comelec stood firm on its stand to be wrong!
AES Watch Recommendation
Comelec should comply with the AES Law and e-Commerce Law first. The logistical concerns of Comelec in implementing the right digital signatures and VVPAT are only some of the project management challenges that Smartmatic should resolve.
Since the fearless forecast is non-compliance with e-Commerce Act, and even with AES Law, it will be best for Comelec to do conventional manual elections in 2016 as their Plan B or contingency plan. And for the 2019 elections and beyond, the next administration should tap the core competency of the proposed Department of Information and Communications Technology (DICT) in managing an IT project like AES.