IN last month’s Joint Congressional Oversight Committee (JCOC) on Automated Election System (AES) presided by Sen. Koko Pimentel as the chairman, Commissioner Christian Lim of the Commission on Elections (Comelec) stated, “For source code audit and review, this will bring you of the algorithms and policies as reviewed to validate the correct implementation and most importantly to ensure that the code contains no hidden functionalities such as Trojan horses, conditional compilation flags, test flags or hardcore passwords. The source code review tools utilized by SLI, includes LocMetric line counter, module finder, parasoft C/C++, ExamDiff Pro and Fortify.” None of these tools are provided for use by the reviewers in the ongoing conduct of local source code review (SCR).
The SLI or Systest Labs Inc., or currently known as the SLI Global Solutions, is a foreign company based in Denver, Colorado. It was the same company that did the SCR for the 2010 and 2013 national and local elections (NLEs). And for the 2016 NLEs, Comelec awarded the limited source bidding to SLI at the latter’s winning bid of US$766,375 or around P35 Million. That’s the third time; and likewise the third time of the hocus-PCOS of Smartmatic in our National and Local Elections! It’s a very consistent trend in spite of the fact that SLI was noncompliant and suspended under the U.S. Election Assistance Commission (EAC) accreditation program.
Further, if you ask the big four (4) global auditing firms regarding review or auditing practices, they would tell you that a company should change its auditor or examiner after two annual audits. In short, Comelec should have set aside SLI after the two (2) AES reviews and should have instead tapped an independent and reputable reviewer for the 2016 SCR. The exercise of changing the examiner every now and then merely intends to eliminate the possible scenario of having “familiarity breeds contempt!” Remember on what happened with the infamous scandalous collusion between the energy company Enron and its auditing firm, Arthur Andersen? The tapping of SLI for the 3rd time is another prominent case of having no implementing rules and regulations (IRR) for the Republic Act (RA) 9369.
Why is there a foreign company doing the source code review for the Philippine AES? The AES law or RA9369 Section 11 stipulates that the Technical Evaluation Committee, headed by the Department of Science and Technology (DOST), shall certify through an established international certification entity to be chosen by the Commission from the recommendations of the Advisory Council, not later than three months before the date of the electoral exercises. Hence, Comelec is complying with this provision by tapping SLI as the said entity. However, for the rest of the technical provisions in RA9369, especially the application of security control measures (e.g., digital signatures, the “receipt” or voter verified audit paper audit trail, etc. ), Comelec was never compliant in the past two National and Local Elections. Who do you think should be accountable for non-compliance? Enron?
Then Comelec approved Resolution No. 9987 last month also regarding the guidelines in the conduct of the SCR of the AES for the 2016 elections. Aside from what has been published in this column “Let’s Face IT” for the last three articles of Lito, Gus and myself, AES Watch received an email from the former IT Director of Comelec, Mr. Ernie del Rosario, regarding his views about International SCR vis Comelec’s, to wit:
1. Local SCR (“takip-silip”): one copy only; read-only review mode; no automated software review tools allowed; one person at a time limit; outcome = a certified source code per whatever certification standard (except an evilly-conceived one) a definite impossibility!
2. International SCR (unfettered): 24 tests; no number of copies limit; at least five (5) automated software review tools allowed (i.e., as cited by Commissioner Christian Lim); no review manpower limit; outcome = should be a certified-grade source code per EAC 2005 Voluntary Voting System Guidelines (VVSG) standard.
Mr. del Rosario concluded, “What’s the use (of the local SCR)? Aren’t we just being “CLOWNED” around by Smartmatic and Comelec?” See the slides of Mr. del Rosario at https://www.facebook.com/njcelis/media_set?set=a.10153758247866661.1073742029.546351660&type=3&uploaded=8.
Moreover, the resolution states vaguely that all interested parties and groups cannot be accommodated in the venue of the source code review. Is the venue a limitation? Did Comelec reserve a budget for the SCR covering the venue and related costs (e.g., food and transportation expenses)vis the millions of pesos allotted for an international SCR?
On another perspective, I asked Dr. Pablo Manalastas, who is an AES Watcher currently involved in the conduct of SCR, concerning what he thinks about the local SCR. Of course, I followed up by saying, “Your answer please without violating the Non-Disclosure Agreement you signed!” He honestly replied, “I SWALLOWED MY PRIDE!” He added that as a programmer and lecturer for thirty (30) years, he would like to participate in the SCR even if he knows that the Resolution No. 9987 is fundamentally in conflict with RA9369. He is coming from what the Section 14 of AES law mandates which stipulates that “Once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested political party or groups which may conduct their own review thereof.” Apparently, anybody who would interpret the said Section could quickly think that the statement ‘available and open’ simply means NO RESTRICTION! On the contrary, Resolution No. 9987 tells us otherwise; there are lots of restrictions. Why is that so? That’s due again to the mere absence of an IRR.
Going a bit further, though Section 14 is very silent as to when will this SCR end, it is very obvious that the review should coincide with the certification of the TEC as stipulated in Section 11; that is, the successful completion of SCR three (3) months before the elections. Comelec said that the SCR would last for seven (7) months, from October 2015 to April 2016. This is ridiculous; a wrong interpretation of the AES law! How can Smartmatic do the necessary correction/s on their AES if the bugs would be detected one to two weeks before May 9, 2016? Impossible! That’s why the law is mandating that all AES certificati ons should be completed on or before February 9, 2016 and not on April 30. Why did they say seven months? Because, as AES Watch has been saying again and again, there’s no IRR! No IRR!…and..No IRR.
We sympathize with Dr. Manalastas as swallowing owns pride is really heavy in one’s heart. If I may reiterate, based from my past articles, the 2010 and 2013 problems were inherited by Chairman Bautista. Sad to say, there was actually no good governance practice in place set by former Comelec Chairmen Melo and Brillantes. Case in point, the Comelec’s Strategy for 2011 to 2016 (COMSTRAT 1116) is a big failure, a key indicator of mismanagement!
The only fast track solution, aside from coming out with IRR, is for Chairman Bautista to make the SCR available and open to any interested political parties or groups to beat the February 9, 2016 deadline. Besides, the reviewers are not the direct beneficiaries of having unrestricted SCR, but rather the Filipino people, our democracy. Can’t they see that?
With due respect to the JCOC, please pay close attention to the compliance and interpretation of Comelec with respect to RA9369!