Defective automated election system (AES), true will of the voters not reflected in the election results, confused general public, “accidental” officials of the government, wasted taxpayers’ money, curious judges of the lower courts, improper proclamation of winning candidates due to elections results not digitally signed and electronically transmitted, etc. are just some of the consequences when brilliant Comelec lawyers and the top-notch engineers and IT professionals from the Comelec Advisory Council (CAC) and Technical Evaluation Committee (TEC) don’t meet eye to eye when they discuss RA 9369, RA 9184, RA 8792 and Rules on Electronic Evidence (REE). Is there something different between these lawyers and technologists? None….if they talk in the same language that they both understand.
Let’s take several considerations from the experiences we had in the 2010 and 2013 national and local elections related to digital signatures, to wit:
• The Request For Proposal (RFP), dated March 11,, 2009, for the solutions, terms & conditions for the automation of the May 10, 2010 synchronized national and local elections stated in page 17 that the system shall transmit digitally signed and encrypted election results and reports enabled by public/private key cryptography to provide authenticity, integrity and non-repudiation utilizing at least 128-bit encryption scheme.
Analysis: The mere fact that the RFP highlighted public/private key cryptography (i.e., it generates the digital signatures), it only means that the RFP is compliant with the Section 6 Subsection (i) of the Implementing Rules and Regulations (IRR) of RA 8792 or e-Commerce Act which states that: “Electronic key” refers to a secret code which secures and defends sensitive information that crosses over public channels (i.e., telcos) and shall include keys produced by public key cryptosystems.
But how come Smartmatic did not comply with the RFP?
• Both Comelec Resolutions 8785 (i.e., Rules and procedures for the testing and sealing of the PCOS machines) and 8786 (i.e., Revised general instructions for the Board of Election Inspectors or BEIs) stipulated not to digitally sign the election results or transmission files. For Resolution 8786 Section 40 Subsections (f) to (h) explain the following procedures: (f) Thereafter, the PCOS shall automatically count the votes and immediately display a message “WOULD YOU LIKE TO DIGITALLY SIGN THE TRANSMISSION FILES WITH A BEI SIGNATURE KEY?”, with a “YES” or “NO” option; (g) Press “NO” option. The PCOS will display “ARE YOU SURE YOU DO NOT WANT TO APPLY A DIGITAL SIGNATURE?” with a “YES” and “NO” option; (h) Press “YES” option. A message shall be displayed “PRINTING 8 COPIES OF NATIONAL RETURNS. PLEASE WAIT”
Analysis: It is very clear in the two resolutions that there was no intention to digitally sign the election returns and certificates of canvass. Take note that RA 9369 stipulated that “The election returns/certificates of canvass transmitted electronically and digitally signed shall be considered as official election results and shall be used as the basis for the proclamation of a winning candidate.”
• Until now, Comelec defined digital signatures as those produced by PCOS machines but we never heard such for Consolidation and Canvassing System (CCS) of municipalities, cities and provincial servers. They always refer to the Supreme Court’s case of Capalla v. Comelec (GR 201112) wherein the ruling is that the PCOS machine is capable of producing digitally signed transmissions.
Analysis: There’s no law in the land that accords legal recognition of machine digital signatures. With due respect, what was the basis of the decision? Was it just the explanation of Smartmatic without inspecting the machine itself? Had there been any citation from the REE and RA 8792? But what is surprising about the PCOS forensics report in 2010 is that it revealed that there’s no evidence regarding the existence of the machine digital signatures which Smartmatic was claiming. Further, the Comelec’s RFP and Resolutions prove otherwise.
• From the report dated January 2014, pp. 33 to 34, CAC is recommending digital signatures for BEIs, and possibly for BOCs, for the upcoming 2016 and succeeding elections using the available Philippine National Public Key Infrastructure (PKI) and not to use the machine digital signatures ALLEGELY used in 2010 and 2013. Suck PKI conforms with Comelec’s RFP regarding public/private key cryptography and with the essence of the REE and RA 8792. Smartmatic did not take into consideration in using the commercial PKI solutions of the telcos in 2010 and 2013 and those have been available for more than a decade now.
Analysis: At long last, the tandem of CAC and TEC are now seeing eye to eye with AES Watch. Will Comelec align themselves with the RA 8792, REE, CAC and TEC? Will the lawyers and technologists see eye to eye?
With the above considerations, there’s no doubt that Smartmatic did not conform with the RFP, disregarded the safeguards stated in RA 9269, and should be penalized and blacklisted by Comelec.