|
BY ED LINGAO PHILIPPINE CENTER
FOR INVESTIGATIVE JOURNALISM
Editor’s note: In the first
part, the report said that the “irreconcilable differences”
between Smartmatic and TIM—the winning consortium in the
poll-automation project—was likely headed for a long and costly
arbitration in Singapore.
(Last of two parts)
Their planned joint venture now
hangs by a thin thread, but squabbling partners Barbados-registered
Smartmatic International and local counterpart Total Information
Management Corp. (TIM) have also yet to tie down many loose ends in
their winning bid to automate the 2010 elections.
Chief
among the concerns are security issues now being raised by computer
experts, non-governmental groups, and even members of the Commission
on Elections Advisory Council (CAC) that oversaw the protracted, if
transparent, bidding process. These unresolved security issues have
raised the specter of an automated exercise where the cheating will
not just be as fast as the counting, but harder to detect as well.
Last
week, Smartmatic, the partner tasked with manufacturing the Precinct
Count Optical Scan (PCOS) machine, told the Commission on Elections
(Comelec) that it wanted to replace its SAES1800 PCOS machine with a
newer model, which had yet to undergo the commission’s stringent
battery of technical tests.
This
was two weeks after Smart-matic presented at a public demo the
SAES1800 PCOS model to the Comelec’s Special Bids and Awards
Committee for technical evaluation. That machine passed all the
requirements of the committee’s technical working group, bagging
the automation contract for the Smartmatic-TIM venture.
The
SAES1800 PCOS machine is basically an optical scanner that reads and
collates the paper ballots of voters. The built-in proprietary
software tallies the results, and transmits them to the municipal,
provincial, and national canvassing centers. This software also
ensures that only authorized personnel can use the machine, and
transmit untampered data.
Security
nightmare
Smartmatic’s
“newer model” has similar features with this machine—with one
crucial difference: the proprietary security and counting software
would no longer be housed and secured inside the machine itself, but
contained in a removable memory card that would be in the custody of
members of the Board of Election Inspectors, according to Ramon
Casiple, chairman of the Consortium on Electoral Reforms (CER) which
is also a member of the advisory council.
Casiple
said Smartmatic informed the Comelec and the advisory of this new
development last week. While Comelec’s position on the new
proposal is still unclear, Casiple added that the stand of members
of the advisory council was unequivocal: “Our position is that
this cannot be allowed. We immediately saw the problem with
security.”
“The
program and the data will now be in the memory card,” Casiple said
of the new model. “If these are damaged or tampered with, the
whole machine is compromised.”
With
82,000 PCOS machines to be distributed nationwide for next year’s
elections, information technology experts balk at the thought of
having memory cards containing the critical software in the personal
custody of 82,000 individuals. It would be a security nightmare, to
say the least.
Easier
for cheats
“The
software has to be secured from tampering and alteration,” said IT
expert Ken Tiambeng. “If [the software] is in a memory disk or a
flashdrive, that makes it unsecure. You can easily change it, alter
the codes, then plug it in the machine, and say it’s authentic.”
Tiambeng
said any cheater who wants to tamper with the vote-counting software
must first get a copy of the original software. That would have been
harder if the software were burned into a chip contained inside the
machine itself. But getting a copy of the software would be
infinitely easier if the software is in a removable memory stick
that is in the hands of 82,000 sets of Board of Election Inspectors.
Tiambeng
added, “You can easily go to the machine, put whatever results or
algorithm you want, and do the dagdag-bawas [vote shaving] in an
automated fashion.”
Before
the Comelec could resolve the question, Smartmatic and TIM had a
falling out over the terms of their joint venture. The issue has
been sidelined for the moment as the two partners bicker over who
gets control of the joint venture’s board.
Digital signatures
Why
Smartmatic decided to offer a new model at the last minute has yet
to be explained by the firm. It has been an open secret, however,
that its original system had been facing increasing scrutiny from
the IT sector.
Prof.
Pablo Manalastas of the Ateneo de Manila Computer Science Department
and the Center for People Empowerment in Governance (CENPEG) said
the real key to the sanctity of the ballot is the “private key”
to be issued to the Board of Election Inspectors. Unfortunately,
Manalastas added, the private key was not going to be very private
at all.
After
the Board of Election Inspector collates the results, it “seals”
the tally with a digital signature using a private key before
transmitting them to the canvassing centers. The digital signature
is akin to a wax seal that authenticates the validity of an official
document, and the private key is what seals it.
But in
its Bid Bulletin No. 10 issued on April 15, 2009, the Comelec’s
bids committee stated that: “The digital signature shall be
assigned by the winning bidder to all members of the BEI and the BOC
[Board of Canvassers] . . . The digital signature shall be issued by
a certificate authority nominated by the winning bidder and approved
by the Comelec.”
Smartmatic’s
shortcuts
What
this means is that the digital signatures would be generated and
assigned by Smartmatic or a group chosen by Smartmatic. Manalastas
explained that this was dangerous, because one group would now have
the digital signatures with which to tamper any or all the results
from the 82,000 PCOS machines.
“What
it boils down to is that Smartmatic will have possession of the
secret and public keys of all the BEI personnel,” Manalastas said.
“The person who is in possession of the secret key can change the
vote of the precinct.”
Ordinarily,
he added, the private keys used to affix digital signatures were
generated by the user himself by going online and registering with
accredited international certificate authorities like VeriSign and
Comodo. It was not assigned by just any group or a person.
The
Comelec may have chosen to shortcut this complex procedure by simply
allowing the winning bidder to do it for all the Board of Election
Inspectors.
Manalastas
said that theoretically, Smartmatic could now “unlock” the
tallies from the precincts, change the results, and then seal them
again using the private keys. The tampering is even harder to trace
because the changed results were sealed with the same private keys
of the election inspectors.
In the
end, Tiambeng said, it would be a matter of complete trust.
“The
issue would be in relation to trusting this company not to share
this certificate outside of the organization so that someone can
spoof or create another file and say this is authentic because it
has a digital signature,” he added. “There is no way to
determine that [something was tampered with] once the digital
signature is copied or given to another party.”
The
‘God’ power
Another
issue yet unresolved is the degree of access granted to the system
administrator on election day. A rival bidder, Avante Technologies,
said Smartmatic’s personnel were able to remotely access and
change election results all the way from Manila during the 2008
elections in the Autonomous Region in Muslim Mindanao (ARMM).
Avante
was one of the seven joint ventures that bidded for next year’s
automated elections, but was disqualified early in the process for
failure to submit all the required documents. It participated in the
automation of the ARMM elections last year, though, alongside
Smartmatic.
Avante’s
representative, Keshab Roncesvalles, said that Smartmatic’s
technicians were able to correct errors in the precinct count in Wao
municipality in Lanao del Sur by logging in from remote computers in
Manila. While there appeared to be no cheating involved, Avante said
that this power to change results from a remote site was a dangerous
part of Smartmatic’s election system. Smartmatic, for its part,
explained that its technicians simply “unblocked” the results of
Wao’s vote.
This
problem also was cited by the Comelec Advisory Council in a
post-election report that it submitted to the Joint Congressional
Oversight Committee on Automated Election System after the 2008 ARMM
elections.
“There
was a report submitted by Avante to Comelec regarding changing the
data of election results remotely from Manila head office by
Smartmatic-SAHI that if left unchecked can lead to widespread vote
reduction and padding,” said the advisory council.
SAHI,
or the Strategic Alliance Holdings Inc. had initially partnered with
Smartmatic in this latest Comelec bidding. They eventually split up,
leaving SAHI in tandem with the Spanish firm Indra Systemas.
“The
mere fact that they were able to unblock [the count] means that they
were able to access the system,” Avante’s Roncesvalles said.
“You should not be able to tamper with it. It seems you can just
manipulate the results as if they were just Excel files.”
Roncesvalles
added that the system administrator should not be allowed to change
the results in any way.
Manalastas
said, “Remember that in any computer the [system] admin is
‘God.’ He can do anything in the computer. You have to be
careful who God is.”
Scanning
vs. direct voting
Also
at issue is Comelec’s decision to adopt the Precinct Count Optical
Scan (PCOS) system over the Direct Recording Electronic (DRE)
system. Both technologies were used in the 2008 ARMM elections, with
mixed results. But in its Request for Proposals to prospective
bidders, the Comelec made sure that the bids were only for the
optical-scan system.
The
decision to stay with a paper-based automated election system
appears based on the desire to introduce “a new system of voting
to the Filipino electorate nationwide without deviating much from
the manual manner of voting and which protects the voter’s right
to the secrecy of his vote,” the Request for Proposal states.
An
optical-scan machine simply optically scans a paper ballot, and
transmits the tally to a canvassing machine. A Direct Recording
Electronic machine, meanwhile, allows a voter to select his
candidate on a computer touch-screen.
Curiously,
as early as 2004, Smartmatic President Antonio Mugica, in an
interview with Radio Nacional de Venezuela, had declared that an
automated election system based on the scanning of paper ballots was
unreliable and prone to errors.
“That
[scanning] technology has a very important intrinsic problem, and
that is, when one introduces the ballot, the machine makes
errors,” Mugica told Venezuelan radio in June 2004, just two
months before Smartmatic‘s machines serviced the Venezuelan
Presidential Recall Referendum in August of that year.
Margin
of error
Mugica
noted that optical scanning machines failed to read between 5
percent and 15 percent of the ballots. This was the reason, he said,
why Smartmatic was focusing its efforts on Direct Recording
Electronic systems, where the voter casts his vote electronically by
pressing his choices on a computer touch-screen.
“The
new machines avoid that [problem] by permitting a direct vote from
the screen,” Mugica told Radio Nacional de Venezuela.
In its
website, Smartmatic still appears to show a preference for its
Direct Recording Electronic machines over its optical scanner. The
website mostly shows images of its Direct Recording Electronic
machines, the SAES 3300 and the SAES4000, and the company’s
corporate audiovisual presentation only shows direct-recording
machines.
But if
Smartmatic is not so confident with optical scanning systems, it
certainly didn’t let that get in the way of its bid for the
Philippines’ 2010 polls, where it offered its SAES1800 model, the
company’s only optical scanning machine.
Unlike
its touch-screen counterparts, the SAES1800 is basically a paper
scanner that records images of the ballots that are fed into the
machine. The results are then tallied and digitally signed, and
transmitted to a canvassing center.
Open
vote, secret count
CENPEG
Director Bobby Tuazon warned that the technology chosen by the
Comelec for next year’s election has made the election even less
transparent for voters. Voters will see their ballots going into the
scanning machines, but they will not know how the machines read
their ballots, if at all. While the SAES1800 has an LCD panel,
voters will know the results only after the machine prints out the
final tally.
The
machine could be programmed to give the voter instant feedback on
his vote through the LCD, but Comelec disabled this option, fearing
it would slow down the voting process.
“These
expectations for transparent elections are not being addressed by
the Comelec and the kind of technology that the Comelec has
adopted,” Tuazon said.
With
the Precinct Count Optical Scan machines, Tuazon added that
Filipinos would have a transparent vote with a secret count, instead
of a secret vote with a transparent count as envisioned by the
Comelec. This is because Board of Election Inspections members are
likely to see who the voter voted for while they help him feed the
ballot into the scanner; the voter, however, won’t even know
whether the machine recorded his vote.
CENPEG
complained that the Comelec shut out all criticisms during the
protracted bidding process, effectively branding all critics as
proponents of a no-election scenario.
“SBAC
[bids committee] is claiming that everything is transparent,” said
CENPEG observer Rosa Castillo. “We recognize the fact that we were
allowed inside as observers. Pero [But] when we tried to ask
questions, they would not allow us, [they said] that we were
delaying the process, and that did we want to have no elections?”
Castillo
said this was how Comelec officials effectively shot down questions
raised by Manalastas on the private key and the digital signatures
before Smartmatic could reply to these.
Castillo
added, “The important questions like the source code, voter
verifiability, and the integrity of the programs were not
tackled.”
Different
bidding war
Now,
though, all these concerns have been sidelined by the more immediate
issue of whether there will be a joint venture that would take
charge of automating the elections.
Meanwhile,
CER’s Casiple warned that with 11 months still to go before
Filipinos cast their ballots and with full automation already in
limbo, election cheats have started their own bidding war on who can
circumvent, or even take advantage, of the new way of conducting
elections.
“I
just came from Mindanao, and the reports from the field state that
there are already offers to politicians that these operators can do
it [cheat] with the automated system,” Casiple said. “But they
haven’t shown any proof yet that they can really do it.”
It is
not clear how much information these operators have about the
hardware and software to be deployed by Smartmatic and TIM, assuming
the two companies finally get their act together. What is clear is
that these operators think that just like in the olden days of
manual counting, they will still be very well employed in 2010.
|
