• Source code review: A restricted environment


    The review of the source code of the automated election system is now in full swing at the De La Salle University. By all indications, based on Commission on Elections (COMELEC) Resolution No. 9987 and the conduct of the briefing held last October 8, 2015, Smartmatic-TIM is in the driver’s seat.

    There will be two sets of source code to be reviewed within a 7-month period. First is the review of the “baseline source code” which is the source code to be provided by Smartmatic-TIM without the rules and procedures in the counting and consolidation of votes specified in our election laws. This will followed by a review of the “source code after customization” which is the amended source code that includes the rules and procedures in the counting and consolidation of votes specified in our election laws. The Comelec aimed to give more time for the source code review rather than wait for the automated election system to be fully customized citing that in 2010 there was only a month’s opportunity to review the source code and for the 2013 there was only a 5-day opportunity.

    Section 15 refers to the conduct of a “Walkthrough for the baseline source code” and Section 16 refers to the conduct of a “Walkthrough for the source codes after customisation.” These activities will be led by Smartmatic-TIM’s software engineer.

    Why should these activities be led by Smartmatic-TIM’s software engineers? Is this an indication that Comelec’s technical personnel are not yet competent and capable to take the lead in the conduct of such activities? Are they not yet knowledgeable in the technology and the software to be used for the 2016 national and local elections? Do they not yet know the system architecture, the data structure, and details of the software? The system provider, Smartmatic-TIM, provided the automated election system in 2010 and 2013 national and local elections. Knowledge and technology transfer to Comelec’s information technology personnel was part of the previous contracts with Smartmatic-TIM as noted in the Law Department’s opinion issued in November 2014 regarding the extended warranty proposal for the maintenance of the PCOS machines used in 2010 and 2013. It appears that said contractual obligations of Smartmatic-TIM have not yet been met!

    Is the use of the phrase “through the system provider” indicative of who will actually manage the automated elections in 2016? Will Comelec again outsource the management and operations of the automated election system in 2016?

    Striking is the use of the adjective “sufficient” to describe the source code review found in the second Whereas clause in the Resolution.

    The Meriam-Webster Dictionary defines the word “sufficient” as “enough to meet the needs of a situation or a proposed end.” What is needed to meet the needs for the source code review (the situation) or the goal set for the conduct of the source code review (the proposed end)? The second Whereas clause of the Resolution states such goal: “enhance public acceptance of and build public confidence in the Automated Election System.” What are needed for this goal to be met?

    Section 20 states that the Commission shall provide and install a read-only copy of the source code. How can a meaningful outcome be generated if code reviewers are limited to read through the source code only? The Resolution does not even indicate if the use of tools that automate source code review which enable static or dynamic review of the source code is allowed.

    Asked about this at the briefing, it was Marlon Garcia of Smartmatic-TIM who responded and he ranted on the practice of reading through the source code at the rate of 100-200 lines per hour. With a least a million lines of code (as revealed during the briefing), the exercise could very well take 38 to 56 months computed on 8 hours per day, 22 days per month. Asked about the use of automated tools for the source code review, Marlon Garcia, said that the tools should be presented to them first.

    Section 7 limits the number of code reviewers to ONE per interested political party or group at any one time! Source code review is a collaborative activity so that code reviewers can, right there and then, exchange views and verify/validate findings.

    Further, in Section 14 Comelec requires reviewers to sign a Non-disclosure Agreement (NDA), the coverage of which is not indicated in the Resolution. It is understandable that the contents of the source code be covered by non-disclosure. Part of the plan is to release a report to the public on, presumably, the findings of the reviewers. To what extent the reviewers can discuss the findings in public is not defined.

    Let’s face IT. The conditions set in Comelec Resolution No. 9987 creates a restrictive environment for the conduct of the source code review. To hasten the process, Comelec should allow the use of tools that automated the review of the source code. It should also allow a network set up with PCOS machines to allow observation of how the data will flow between and among the Election Management Systems, Vote Counting Machines or PCOS, and the Consolidation and Canvassing System (CCS) and through the CCS hierarchy, the transparency server and COMELEC’s central server. This would lead to a meaningful source code review rather than one that is simply sufficient.


    Please follow our commenting guidelines.


    1. Brian Maglutac on

      NATIONAL SECURITY is something you critics seem to forget.! And because of this, the source code review should be in an controlled environment. It is reasonable for Smartmatic to ask you to present to them the kind of automated tools for the source code review. Who knows what these automated tools can do, i.e. copy and store the source code itself for you guys to take home. This is something you have been demanding all these years, to have a hard copy of the source code. Not happening because they are protected by intellectual property rights.

      Secondly, your ulterior motives are suspect because your group is very public about your hatred and disdain against Smartmatic. To put it bluntly, your motives can be to steal and learn the code for your own monetary benefit or find a way to cheat the elections, again for monetary gain.

      If TAPAT is the best that your group of local IT critics can shell out then you have a long way to go. This begs the question, is this really why you are so adamant to take home the source code so you can learn the intricacies of a real industrial strength software and feed it to the programmers of TAPAT?

      Your guru Guz, unprofessionally touts the Filipino IT people as one of the best in the world and belittles the Venezuelan programmers as if alluding that the Filipino programmers are better than the Venezuelans. This is really uncalled for. It is a very poor generalization and bordering of discrimination and bigotry. Desperation is very dangerous!

    2. SLI Global, the foreign independent test authority engaged by and paid for by Comelec even if traditionally it is the solution provider who pays such work will be allowed to USE TOOLS comprising of the following (as stated on page 43 of the official minutes of the JCOC hearing on Sept 17, 2015) :

      “The source code review tools utilized by SRI, includes LocMetric line counter, module finder, parasoft C/C++, ExamDiff Pro and Fortify.”

      Why then are the reviewers of the source code who are part the direct stakeholders in this election PROHIBITED by using automated review tools while the foreign test authoruty can freely do so ?

      This is too much ! This renders the exercise a farce, even a joke and complete unacceptable ! The conditions are too asymentyric to the coiuntry’s disadvantage. Why on earth does Comelec allowing this terrible travesty ? They are unswerable to this possibly treasonous act !

    3. You can write about Smartmatic until you wear out your keyboard. Don’t you see that dirty finger Comelec/Smartmatic is pointing at your face?

    4. Smartmatic knows that the Comelec does not know anything about machine computer elections and saw to it that they control this agency. Unfortunately the Comelec themselves seems not to want to learn the mechanics or they do not want to in purpose so they can continue to receive their commissions and kickback for every purchase, every repair, even every gas thrown at them from the anus of Cesar Flores and his cohorts in the Comelec.