The review of the source code of the automated election system is now in full swing at the De La Salle University. By all indications, based on Commission on Elections (COMELEC) Resolution No. 9987 and the conduct of the briefing held last October 8, 2015, Smartmatic-TIM is in the driver’s seat.
There will be two sets of source code to be reviewed within a 7-month period. First is the review of the “baseline source code” which is the source code to be provided by Smartmatic-TIM without the rules and procedures in the counting and consolidation of votes specified in our election laws. This will followed by a review of the “source code after customization” which is the amended source code that includes the rules and procedures in the counting and consolidation of votes specified in our election laws. The Comelec aimed to give more time for the source code review rather than wait for the automated election system to be fully customized citing that in 2010 there was only a month’s opportunity to review the source code and for the 2013 there was only a 5-day opportunity.
Section 15 refers to the conduct of a “Walkthrough for the baseline source code” and Section 16 refers to the conduct of a “Walkthrough for the source codes after customisation.” These activities will be led by Smartmatic-TIM’s software engineer.
Why should these activities be led by Smartmatic-TIM’s software engineers? Is this an indication that Comelec’s technical personnel are not yet competent and capable to take the lead in the conduct of such activities? Are they not yet knowledgeable in the technology and the software to be used for the 2016 national and local elections? Do they not yet know the system architecture, the data structure, and details of the software? The system provider, Smartmatic-TIM, provided the automated election system in 2010 and 2013 national and local elections. Knowledge and technology transfer to Comelec’s information technology personnel was part of the previous contracts with Smartmatic-TIM as noted in the Law Department’s opinion issued in November 2014 regarding the extended warranty proposal for the maintenance of the PCOS machines used in 2010 and 2013. It appears that said contractual obligations of Smartmatic-TIM have not yet been met!
Is the use of the phrase “through the system provider” indicative of who will actually manage the automated elections in 2016? Will Comelec again outsource the management and operations of the automated election system in 2016?
Striking is the use of the adjective “sufficient” to describe the source code review found in the second Whereas clause in the Resolution.
The Meriam-Webster Dictionary defines the word “sufficient” as “enough to meet the needs of a situation or a proposed end.” What is needed to meet the needs for the source code review (the situation) or the goal set for the conduct of the source code review (the proposed end)? The second Whereas clause of the Resolution states such goal: “enhance public acceptance of and build public confidence in the Automated Election System.” What are needed for this goal to be met?
Section 20 states that the Commission shall provide and install a read-only copy of the source code. How can a meaningful outcome be generated if code reviewers are limited to read through the source code only? The Resolution does not even indicate if the use of tools that automate source code review which enable static or dynamic review of the source code is allowed.
Asked about this at the briefing, it was Marlon Garcia of Smartmatic-TIM who responded and he ranted on the practice of reading through the source code at the rate of 100-200 lines per hour. With a least a million lines of code (as revealed during the briefing), the exercise could very well take 38 to 56 months computed on 8 hours per day, 22 days per month. Asked about the use of automated tools for the source code review, Marlon Garcia, said that the tools should be presented to them first.
Section 7 limits the number of code reviewers to ONE per interested political party or group at any one time! Source code review is a collaborative activity so that code reviewers can, right there and then, exchange views and verify/validate findings.
Further, in Section 14 Comelec requires reviewers to sign a Non-disclosure Agreement (NDA), the coverage of which is not indicated in the Resolution. It is understandable that the contents of the source code be covered by non-disclosure. Part of the plan is to release a report to the public on, presumably, the findings of the reviewers. To what extent the reviewers can discuss the findings in public is not defined.
Let’s face IT. The conditions set in Comelec Resolution No. 9987 creates a restrictive environment for the conduct of the source code review. To hasten the process, Comelec should allow the use of tools that automated the review of the source code. It should also allow a network set up with PCOS machines to allow observation of how the data will flow between and among the Election Management Systems, Vote Counting Machines or PCOS, and the Consolidation and Canvassing System (CCS) and through the CCS hierarchy, the transparency server and COMELEC’s central server. This would lead to a meaningful source code review rather than one that is simply sufficient.