(First of two parts)
THE Automated Election System (AES) Watch already predicted (Episode I) late last year that the Commission on Elections (Comelec) wouldn’t conform with the deadline set by the AES law (i.e., RA9369) for yesterday, February 9, 2016, specifically compliance with the provisions related to tests and certifications (http://www.manilatimes.net/fearless-forecast-comelec-will-not-comply-with-the-aes-law-in-2016/236874/).
It all came true – source code reviews have problems and have not been completed; comparisons of source codes with equipment are yet to be done; contingency plans have not been certified, etc.
But come to think of it: The Comelec very strictly enforced its deadlines for non-AES related activities, they rigorously made sure that the dates for the following were adhered to – voter registration, biometrics verification, filing of candidacy, gun ban, campaign period, etc. There’s no such thing as compromise if one fails to meet the Comelec’s deadlines.
Ironically, when the Comelec fails to comply with the deadlines set by the AES law, nobody in their ranks seems to be accountable for the non-compliance!
Based on Comelec’s AES implementation in the 2010 and 2013 elections, AES Watch predicted Comelec’s non-compliance with e-Commerce Act of 2000 (i.e., RA 8792) vis AES Law this coming May 9, 2016. Another basis for such forecast is the non-promulgation of the AES Law’s Implementing Rules and Regulations (IRR) as mandated in Section 37 of the law. Without the IRR, Comelec will never understand the real intentions of the AES Law.
It’s a good thing that Comelec promulgated the IRR of another law, the Fair Elections Act, last week. It’s very straightforward and easy to understand. On the other hand, the Biometrics Law was promulgated in 2013 but needs more enhancement. Unlike with AES Law, Comelec has been telling the public for the past nine (9) years that their Guidelines or General Instructions for the past AES implementation would suffice. Isn’t it a violation of the AES law not to comply with its mandate to come out with IRR? It is only the AES Watch group that has been prodding Comelec to produce the IRR. Hope that the next Administration/Congress will seriously take a closer look into Comelec’s promulgation of the IRR.
Episode II of Comelec’s non-compliance deals with the authentication of electronically transmitted and digitally signed election results (i.e., the election returns or ERs and certificates of canvass or COCs) based on Section 30 of the AES Law. As an information security measure, the election results should be authenticated following the certification procedures for electronic signatures as provided in the e-Commerce Law, as well as the rules promulgated by the Supreme Court. Said authenticated results shall be the bases for proclaiming the winning candidates, as also stipulated in the AES Law.
The Information and Communications Technology Office (ICTO) of the Department of Science and Technology (DOST) has already established the said certification procedures and it was launched in December 2011 as the Digital Certification Center, an integral part of the Philippine National Public Key Infrastructure (PNPKI). On how it works, the PNPKI may be viewed at https://www.youtube.com/watch?v=bsPM9kafqv8.
What is e-Commerce Law vis AES Law?
In the context of Batas Pambansa Blg. 881 of 1985 (i.e., Omnibus Election Code of the Philippines), it clearly clarifies about the actual signatures of the Board of EIection Inspectors (BEIs) and Board of Canvassers (BOCs) affixed in the ERs and COCs, respectively. These signatures were later converted by the framers of RA 9369 into digital signatures based on e-Commerce Law and Supreme Court’s Rules on Electronic Evidence (REE).
The most salient features of the e-Commerce Law vis AES Law are legal recognition of electronic documents and legal recognition of electronic signatures. Per e-Commerce Law and its IRR, an electronic signature relating to an electronic document shall be equivalent to the signature of a person on a written document. While, the REE defines digital signatures as any distinctive mark, characteristic and/or sound in electronic form representing the identity of a person.
In June 2009, all of these early undertakings regarding digital signatures were further cemented by the Executive Order (EO) No. 810 mandating the institutionalization of the certification scheme for digital signatures and directing the application of electronic signatures in e-Government services. It was signed by former President Gloria Macapagal Arroyo and some of the statements highlighted therein are the following:
• An electronic signature represents the identity of the person attached to an electronic document, employing any procedure to authenticate or approve the electronic document;
• Section 8 of e-Commerce Law provides for the legal recognition of electronic signatures and imposes strict requirements before an electronic signature qualifies as a handwritten signature;
• By imposing such strict requirements to prove the authenticity, integrity and reliability of electronic signatures, the e-Commerce Law validates only electronic signatures, which include, but are not limited to, digital signatures, which are generated through technology that complies with all the requirements enumerated in the Act;
• The REE issued by the Supreme Court in 2001 in accordance with the provisions of the e-Commerce Act, defines digital signature as “an electronic signature consisting of a transformation of an electronic document or an electronic data message using an asymmetric or public cryptosystem such that a person having the initial untransformed electronic document and the signer’s public key can accurately determine: (i) whether the transformation was created using the private key that corresponds to the signer’s public key; and (ii) whether the initial electronic document had been altered after the transformation was made.”
That means, even before the Smartmatic domination in our AES for almost six (6) years now, digital signature has already been defined vividly and concretely by the e-Commerce Law and REE.
Hence, the electronic documents referred to in the AES Law are the ERs and COCs while the digital signatures refer to the signatures of BEIs and BOCs on written ERs and COCs, respectively. That’s very clear!
There’s no such thing as “machine” digital signature in the annals of the Philippine law to represent the signatures of BEIs/BOCs on written ERs/COCs. Smartmatic’s claim for the validity of their “machine” digital signature in the past two elections is a big LIE!
(To be continued)