• Familiarity breeds contempt


    IN last month’s Joint Congressional Oversight Committee (JCOC) on Automated Election System (AES) presided by Sen. Koko Pimentel as the chairman, Commissioner Christian Lim of the Commission on Elections (Comelec) stated, “For source code audit and review, this will bring you of the algorithms and policies as reviewed to validate the correct implementation and most importantly to ensure that the code contains no hidden functionalities such as Trojan horses, conditional compilation flags, test flags or hardcore passwords. The source code review tools utilized by SLI, includes LocMetric line counter, module finder, parasoft C/C++, ExamDiff Pro and Fortify.” None of these tools are provided for use by the reviewers in the ongoing conduct of local source code review (SCR).

    The SLI or Systest Labs Inc., or currently known as the SLI Global Solutions, is a foreign company based in Denver, Colorado. It was the same company that did the SCR for the 2010 and 2013 national and local elections (NLEs). And for the 2016 NLEs, Comelec awarded the limited source bidding to SLI at the latter’s winning bid of US$766,375 or around P35 Million. That’s the third time; and likewise the third time of the hocus-PCOS of Smartmatic in our National and Local Elections! It’s a very consistent trend in spite of the fact that SLI was noncompliant and suspended under the U.S. Election Assistance Commission (EAC) accreditation program.

    Further, if you ask the big four (4) global auditing firms regarding review or auditing practices, they would tell you that a company should change its auditor or examiner after two annual audits. In short, Comelec should have set aside SLI after the two (2) AES reviews and should have instead tapped an independent and reputable reviewer for the 2016 SCR. The exercise of changing the examiner every now and then merely intends to eliminate the possible scenario of having “familiarity breeds contempt!” Remember on what happened with the infamous scandalous collusion between the energy company Enron and its auditing firm, Arthur Andersen? The tapping of SLI for the 3rd time is another prominent case of having no implementing rules and regulations (IRR) for the Republic Act (RA) 9369.

    Why is there a foreign company doing the source code review for the Philippine AES? The AES law or RA9369 Section 11 stipulates that the Technical Evaluation Committee, headed by the Department of Science and Technology (DOST), shall certify through an established international certification entity to be chosen by the Commission from the recommendations of the Advisory Council, not later than three months before the date of the electoral exercises. Hence, Comelec is complying with this provision by tapping SLI as the said entity. However, for the rest of the technical provisions in RA9369, especially the application of security control measures (e.g., digital signatures, the “receipt” or voter verified audit paper audit trail, etc. ), Comelec was never compliant in the past two National and Local Elections. Who do you think should be accountable for non-compliance? Enron?

    Then Comelec approved Resolution No. 9987 last month also regarding the guidelines in the conduct of the SCR of the AES for the 2016 elections. Aside from what has been published in this column “Let’s Face IT” for the last three articles of Lito, Gus and myself, AES Watch received an email from the former IT Director of Comelec, Mr. Ernie del Rosario, regarding his views about International SCR vis Comelec’s, to wit:

    1. Local SCR (“takip-silip”): one copy only; read-only review mode; no automated software review tools allowed; one person at a time limit; outcome = a certified source code per whatever certification standard (except an evilly-conceived one) a definite impossibility!

    2. International SCR (unfettered): 24 tests; no number of copies limit; at least five (5) automated software review tools allowed (i.e., as cited by Commissioner Christian Lim); no review manpower limit; outcome = should be a certified-grade source code per EAC 2005 Voluntary Voting System Guidelines (VVSG) standard.

    Mr. del Rosario concluded, “What’s the use (of the local SCR)? Aren’t we just being “CLOWNED” around by Smartmatic and Comelec?” See the slides of Mr. del Rosario at https://www.facebook.com/njcelis/media_set?set=a.10153758247866661.1073742029.546351660&type=3&uploaded=8.

    Moreover, the resolution states vaguely that all interested parties and groups cannot be accommodated in the venue of the source code review. Is the venue a limitation? Did Comelec reserve a budget for the SCR covering the venue and related costs (e.g., food and transportation expenses)vis the millions of pesos allotted for an international SCR?

    On another perspective, I asked Dr. Pablo Manalastas, who is an AES Watcher currently involved in the conduct of SCR, concerning what he thinks about the local SCR. Of course, I followed up by saying, “Your answer please without violating the Non-Disclosure Agreement you signed!” He honestly replied, “I SWALLOWED MY PRIDE!” He added that as a programmer and lecturer for thirty (30) years, he would like to participate in the SCR even if he knows that the Resolution No. 9987 is fundamentally in conflict with RA9369. He is coming from what the Section 14 of AES law mandates which stipulates that “Once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested political party or groups which may conduct their own review thereof.” Apparently, anybody who would interpret the said Section could quickly think that the statement ‘available and open’ simply means NO RESTRICTION! On the contrary, Resolution No. 9987 tells us otherwise; there are lots of restrictions. Why is that so? That’s due again to the mere absence of an IRR.

    Going a bit further, though Section 14 is very silent as to when will this SCR end, it is very obvious that the review should coincide with the certification of the TEC as stipulated in Section 11; that is, the successful completion of SCR three (3) months before the elections. Comelec said that the SCR would last for seven (7) months, from October 2015 to April 2016. This is ridiculous; a wrong interpretation of the AES law! How can Smartmatic do the necessary correction/s on their AES if the bugs would be detected one to two weeks before May 9, 2016? Impossible! That’s why the law is mandating that all AES certificati ons should be completed on or before February 9, 2016 and not on April 30. Why did they say seven months? Because, as AES Watch has been saying again and again, there’s no IRR! No IRR!…and..No IRR.

    We sympathize with Dr. Manalastas as swallowing owns pride is really heavy in one’s heart. If I may reiterate, based from my past articles, the 2010 and 2013 problems were inherited by Chairman Bautista. Sad to say, there was actually no good governance practice in place set by former Comelec Chairmen Melo and Brillantes. Case in point, the Comelec’s Strategy for 2011 to 2016 (COMSTRAT 1116) is a big failure, a key indicator of mismanagement!

    The only fast track solution, aside from coming out with IRR, is for Chairman Bautista to make the SCR available and open to any interested political parties or groups to beat the February 9, 2016 deadline. Besides, the reviewers are not the direct beneficiaries of having unrestricted SCR, but rather the Filipino people, our democracy. Can’t they see that?

    With due respect to the JCOC, please pay close attention to the compliance and interpretation of Comelec with respect to RA9369!


    Please follow our commenting guidelines.


    1. ” However, for the rest of the technical provisions in RA9369, especially the application of security control measures (e.g., digital signatures, the “receipt” or voter verified audit paper audit trail, etc. ), Comelec was never compliant in the past two National and Local Elections. Who do you think should be accountable for non-compliance? ”

      If the Comelec was never complaint in the past two elections, why do you think the Supreme Court allowed it? The truth is you re spreading blatant lies. The Supreme Court already ruled on these issues prior to the 2010 elections via the Harry Roque case. Carefully read the SC ruling in this case and you will find out that the issues you keep on rehashing have already been resolved.

      With regards to the source code review, while the law (RA 9369) mandates it in the spirit of full disclosure and transparency, Resolution No. 9987 protects other laws, Intellectual Property and National Security. The two are not in conflict, they are actually complimentary, holistic and more pragmatic. Problem is you interpret things to favor your ulterior motives and hidden agenda. You are misleading the public for personal gain and disguise this as your BAYANihan. Shame on you!!!

    2. The solution is simple to make sure that there is no shenanigans in the forthcoming elections: CONDUCT A PARALLEL MANUAL COUNT AT THE PRECINCT LEVEL to validate the computerized counting. There is no violation to the law mandating computerization of our elections as the manual count is a mere parallel operations. Bakit kaya ayaw nila when the incremental cost needed is very much affordable???????

    3. I am reminded of one tool NBI uses (and most law enforcement entities worldwide) in preliminary criminal investigations – the so called “paraffin test.” It is where melted (so hot) paraffin wax is poured onto the suspect’s hands and allowed to cool before these are removed from the suspect’s hands for further analysis. The analysis will determine if the suspect’s hands contain traces of gunpowder in them which one gets upon firing a gun. A long time ago, I discussed this method from an active NBI agent about how effective it really is. He said that it is more of crude method and cannot be relied on highly as solid evidence because traces of nitrates (a gunpowder ingredient) can be lodged on hands that just recently were used to strike a match, light a firecracker or luces, etc. So housewives are on an unfairly disadvantageous end for they usually do the cooking at home. The NBI agent said that the value of the test is really in the psychological aspect. The very act of being subjected to a paraffin test triggers so much fears on the suspect (especially the really guilty ones) to admit to the crime even before the first drop of the melted paraffin hits his hands.

      The SCR may be something similar. It is in fact not a 100% effective or fool-proof method of detecting fraudulent codes in a set of source codes. Some value of SCRs are more of as a deterrent so software solution HONEST vendors will tend to produce and sell “clean” source code. Those who deliberately are afraid of being found out to have imbedded fraudulent codes because they know they did this will do all kinds of contortions to prevent a real SCR according to industry and domain standards from being conducted. So they throw in all restrictions to render the SCR completely useless for being totally ineffective.

      THIS IS PRECISELY WHAT SEEMS TO BE HAPPENING IN THE ONGOING CONDUCT OF THE SCR OF THE 2016 AUTOMATED ELECTION SOLUTION SOURCE CODE FROM SMARTMATIC. The other terribly wrong thing being imposed is having the review participants sign a Non-disclosure Agreement (NDA) which is utterly preposterous ! The NDA bars the participants from disclosing any findings it has on the review directly to the outside world on pain of a possible legal suit. These findings have to be filtered first by Comelec before being reported out. What is the use then of the SCR ? Palusot / Palabas ? Just to create an illusion that the AES law is being followed ?

      • NATIONAL SECURITY, this is something you keep forgetting. It’s like the the Army giving their battle plan to the Abu Sayaf. And you want this to happen???